b'office of inspector gener al\nsemiannual report\n\n    to congress\n\n  OCTOBER 1, 2013 to M ARCH 31, 2014\n\x0c                                    FOREWORD \n\nIn the last two Semiannual Reports we have stressed the importance ofinternal controls.\nSimply put, without an effective internal control program an organization may never reach its\ntrue potential. Internal controls are essential for improving efficiency and program\neffectiveness. The National Archives and Records Administration (NARA) continues to be\nchallenged in this area. NARA has an incredibly talented and dedicated staff, but without an\neffective internal control program, NARA staffmembers do not have all ofthe tools they need to\nmake positive changes for the agency.\n\nUnfortunately, NARA \'s struggles with implementing and executing an internal control program\nare not limited to one or two offices or programs. NARA has a systematic, agency-wide\ndeficiency which must be addressed. As we have stated before, as the Federal budget situation\nbecomes increasingly constrained, internal controls only gain importance. For NARA to meet\nthe agency\'s mission, and to reach its true potential as an organization, it must expend\nincreased effort in this area. Senior leadership report they have embraced internal controls and\nacknowledge their importance. However, NARA is at the beginning of what needs to be a\nprolonged and intensive effort. An internal control is a process; it must be monitored, evaluated\nand adapted to provide the best results through continuous improvement. Senior leadership\nneeds to make sure their acceptance ofthis fact spreads through the entire agency, and they\nprovide NARA staffthe resources necessary to make it happen.\n\nThe effects ofa lack ofan effective internal control program permeate the work ofthe entire\nagency, affecting even the work ofthe Office ofInspector General (OIG). As noted in our\nongoing audit peer review, NARA is drastically behind in creating action plans to address audit\nrecommendations. These delays can undermine the audit\'s potential to improve the agency.\nAccordingly, NARA must identify and address the cause ofthese delays. We look forward to\nresolving these issues and continuing to independently provide the services necessary to help\nNARA improve.\n\nI am proud ofthe work we have accomplished this semiannual reporting period, and ofthe\nongoing work being executed by this office. The employees ofthe OIG remain hardworking\nand dedicated to our mission. I thank those individuals who have come to support this office\nand help us conduct its necessary work. We have an ambitious agenda ahead ofus in the\ncoming months, and I look forward to presenting the results ofthis effort in future reporting\nperiods.\n\n\n\n\n                                             9::::rin~\n                                                   Acting Inspector General\n\n\n\n\nSEMIANNUAL REPORT TO CONGRESS\nOctober 1, 2013 to March 31, 2014                                                  Page i\n\x0cTABLE OF CONTENTS\n\nForeword......................................................................................................................................... i\n\n\nExecutive Summary .......................................................................................................................2 \n\n\nIntroduction ...................................................................................................................................5 \n\n\nActivities .........................................................................................................................................7 \n\n\nAudits ...........................................................................................................................................10 \n\n\n           Management and Oversight of NARA\'s Energy Savings Performance Contracts ...11 \n\n           NARA\xe2\x80\x99s Payments to Federal Agencies (excluding GSA)............................................11 \n\n           Use of Presidential Library Facilities by Outside Organizations ................................12 \n\n           NARA Field Office Acquisition Activities .....................................................................12 \n\n           NARA\xe2\x80\x99s Fiscal Year 2013 Financial Statement Review ...............................................13 \n\n\nInvestigations................................................................................................................................14 \n\n\n           General Investigations .....................................................................................................15 \n\n           Archival Recovery Team Activity ..................................................................................16 \n\n           Computer Crimes Unit ....................................................................................................19 \n\n           OIG Hotline ......................................................................................................................20 \n\n\nDisagreements with Significant Management Decisions ..........................................................21 \n\n\nTop Ten Management Challenges .............................................................................................23 \n\n\nReporting Requirements ............................................................................................................28 \n\n\nPrior Fiscal Years\' Open Audit Recommendations..................................................................33 \n\n\n\n\n\n Visit http://www.archives.gov/oig/ to learn more about the National Archives Office of Inspector General.\n\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                                                                            Page 1\n\nOctober 1, 2013 to March 31, 2014\n\n\x0cEXECUTIVE SUMMARY\n\nThis is the 51st Semiannual Report to the Congress summarizing the activities and\naccomplishments of the National Archives and Records Administration (NARA) Office of\nInspector General (OIG). A summary of NARA\xe2\x80\x99s top ten management challenges is included as\nwell. The highlights of our major functions are summarized below.\n\n                                    Audits and Reports\nThe Audit Division continued to examine NARA\xe2\x80\x99s Information Technology (IT) systems,\nincluding the Electronic Records Archives (ERA) system, and assess the economy and\nefficiency of NARA\xe2\x80\x99s programs and operations. During the reporting period, we issued the\nfollowing audit reports and management letters.\n\nPrograms and Operations\n   \xe2\x80\xa2\t Management & Oversight of NARA\xe2\x80\x99s Energy Savings Performance Contracts\n       (ESPCs). Since 1999, NARA has awarded six ESPCs with a total value of over $24\n       million. These multiyear contract vehicles are designed to enhance energy efficiencies\n       whereby the savings generated are used to pay for the contracted enhancements.\n       However, NARA\xe2\x80\x99s inadequate management and oversight of ESPCs resulted in\n       questionable payments exceeding $8.4 million, and placed the success of its ESPC\n       energy efficiency efforts and investments at risk. (OIG Audit Report #14-01, dated\n       January 30, 2014. See page 11.)\n\n   \xe2\x80\xa2\t NARA\xe2\x80\x99s Payments to Federal Agencies (excluding GSA). Overall, for the agreements\n      we reviewed, the obligations appeared to be appropriate, and NARA appeared to receive\n      services in accordance with contract agreements. However, we found some contract\n      payments were authorized prior to either verifying amounts or reviewing contract\n      documentation. (OIG Audit Report #14-07, dated April 2, 2014. See page 11.)\n\n   \xe2\x80\xa2\t Use of Presidential Library Facilities by Outside Organizations. One main control\n      for outside groups who want to use Presidential library facilities for functions is a\n      mandatory NARA application form. However, organizations were not always required\n      to complete these forms, and when they were, the forms were not always properly\n      completed. This violates regulations and hinders the ability to review and determine\n      whether the groups followed the rules and regulations. From the limited forms available,\n      it appears some events may have involved prohibited religious activities. (OIG Audit\n      Report #14-04, dated March 5, 2014. See page 12.)\n\n   \xe2\x80\xa2\t NARA\xe2\x80\x99s Field Office Acquisition Activity. NARA\xe2\x80\x99s field office procurement\n      activities generally appeared to be in compliance with the Federal Acquisition\n      Regulation (FAR), and management controls over these acquisitions generally appeared\n      to be adequate. However, increased attention is needed to further strengthen acquisition\n      activity within NARA field offices. (OIG Audit Report #14-05, dated March 11, 2014.\n      See page 12.)\n\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                          Page 2\nOctober 1, 2013 to March 31, 2014\n\x0cEXECUTIVE SUMMARY\n\n   \xe2\x80\xa2\t NARA\xe2\x80\x99s Fiscal Year 2013 Financial Statements. NARA received an unqualified\n      opinion on their financial statements. There were no material weaknesses in internal\n      control over financial reporting, no significant deficiencies, and no instances of\n      noncompliance with certain provisions of laws and regulations. (Audit Memorandum\n      #14-02, dated January 15, 2014. See page 13.)\n\nManagement Issues\n\n   \xe2\x80\xa2\t Untimely Notification Hinders OIG\xe2\x80\x99s Ability to Investigate Potential Theft and\n      Places NARA Holdings at Risk. Neither the OIG nor the Holdings Protection Team\n      (HPT) were notified as soon as possible of a recent incident at Archives II in which a\n      researcher allegedly tried to conceal or steal NARA documents. Without timely\n      notification of potential concealment or theft, the opportunity to conduct searches may\n      be lost, and witness reliability may be compromised. If NARA employees delay\n      notifying the HPT and the OIG, NARA holdings are at risk of permanent loss and\n      damage. (OIG Management Letter #14-02, dated January 9, 2014.)\n\n   \xe2\x80\xa2\t NARA Computer Internet Browser Settings. We identified a weakness in how\n      NARA provides internet access on NARA-owned computers. This weakness had a\n      direct effect on what evidence could be available in criminal and other investigations,\n      and in fact had been exploited by an employee in a recent investigation. Due to the\n      sensitive nature of the weakness, and the specificity with which it was addressed in the\n      management letter, the contents of the letter will not be posted online. (OIG\n      Management Letter #14-06, dated January 22, 2014.)\n\n\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                           Page 3\nOctober 1, 2013 to March 31, 2014\n\x0cEXECUTIVE SUMMARY\n\n                                      Investigations\n\nSignificant accomplishments by the Office of Investigations (OI) during this reporting period\ninclude:\n\n   \xe2\x80\xa2\t The OI facilitated the return of 766 historical items to repositories across the country.\n\n   \xe2\x80\xa2\t The Archival Recovery Team (ART) recovered a Presidential pardon signed by\n\n      President Franklin Pierce that had been listed on the Missing Documents list. \n\n\n   \xe2\x80\xa2\t ART recovered a document from a Pennsylvania Civil War Prize case file dated August\n      12, 1862.\n\n   \xe2\x80\xa2\t Based on an OI referral, NARA recovered a page missing from a deck log for the U.S.S.\n      Malvern.\n\n   \xe2\x80\xa2\t The OI assessed critical incident law enforcement response plans at a NARA facility,\n      and the OIG issued a report detailing the review and proposing suggestions for\n      improvement.\n\n   \xe2\x80\xa2\t The OI investigated allegations a private researcher concealed documents on their person\n      and left a NARA facility. The OI found the researcher had in fact concealed personal\n      papers under their clothing before leaving a NARA research room.\n\n   \xe2\x80\xa2\t Two former NARA employees were sentenced to two years probation for destruction of\n      Federal property.\n\nThe OI opened 12 investigations and 23 complaints for preliminary investigation, while closing\n7 investigations and 25 complaints. At the end of this reporting period, the OI had 20 ongoing\ninvestigations and 5 complaints. The OI referred one assessment to NARA management for\ninformation and appropriate action. Fifty-two percent of the ongoing investigations and\ncomplaints involve the potential alienation of NARA holdings. This number reflects continuing\nOI efforts to identify and investigate lost, missing, and stolen NARA holdings.\n\n\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                              Page 4\nOctober 1, 2013 to March 31, 2014\n\x0cINTRODUCTION\n\n       About the National Archives and Records Administration\n\nMission\nThe National Archives and Records Administration serves American democracy by safeguarding\nand preserving the records of our Government, ensuring the people can discover, use, and learn\nfrom this documentary heritage. Further, the agency ensures continuing access to the essential\ndocumentation of the rights of American citizens and the actions of their government; and\nsupports democracy, promotes civic education, and facilitates historical understanding of our\nnational experience.\n\nBackground\nNARA, by preserving the nation\xe2\x80\x99s documentary history, serves as a public trust on which our\ndemocracy depends. It enables citizens to inspect for themselves the record of what the\nGovernment has done. It enables officials and agencies to review their actions and helps citizens\nhold them accountable. It ensures continuing access to essential evidence documenting the rights\nof American citizens, the actions of Federal officials, and the national experience.\n\nFederal records reflect and document America\xe2\x80\x99s development over more than 225 years. They\nare great in number, diverse in character, and rich in information. NARA\xe2\x80\x99s traditional holdings\namount to nearly 4.7 million cubic feet of records. These holdings also include, among other\nthings, letters, reports, architectural/engineering drawings, maps and charts; moving images and\nsound recordings; and photographic images. Additionally, NARA maintains nearly 600,000\nartifact items and approximately 523 terabytes of electronic records. The number of records\nborn and stored solely in the electronic world will only continue to grow, thus NARA developed\nthe Electronic Record Archives to attempt to address this burgeoning issue.\n\nNARA involves millions of people in its public programs, which include exhibitions, tours,\neducational programs, film series, and genealogical workshops. In FY 2013, NARA had 49.6\nmillion online visits in addition to hosting 3.2 million traditional museum visitors, all while\nresponding to approximately 1.2 million written requests from the public. NARA also publishes\nthe Federal Register and other legal and reference documents, forming a vital link between the\nFederal Government and those affected by its regulations and actions. Through the National\nHistorical Publications and Records Commission, NARA helps preserve and publish non-Federal\nhistorical documents that also constitute an important part of our national heritage. Additionally,\nNARA administers 13 Presidential libraries preserving the papers and other historical materials\nof all past Presidents since Herbert Hoover.\n\nResources\nIn Fiscal Year (FY) 2014, NARA was appropriated $386.6 million. This included $370 million\nfor Operating Expenses (including the operations and maintenance of the Electronic Records\nArchives system), $8 million for Repairs and Restoration of NARA-owned buildings, $4.5\nmillion for the National Historical Publications and Records Commission (NHPRC), and $4.13\nmillion for IG operations. With approximately 3,023 (estimated) Full-time Equivalents (FTEs),\nNARA operates 46 facilities nationwide.\n\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                              Page 5\nOctober 1, 2013 to March 31, 2014\n\x0cINTRODUCTION\n\n                 About the Office of Inspector General (OIG)\n\nThe OIG Mission\nThe OIG serves the American citizen by improving the effectiveness, efficiency, and economy of\nNARA programs and operations. As part of our mission we detect and prevent fraud and abuse\nin NARA programs, and strive to ensure proper stewardship over Federal funds. We accomplish\nthis by providing high-quality, objective audits and investigations, and serving as an\nindependent, internal advocate. Unique to our mission among other OIGs is our duty to ensure\nNARA protects and preserves the items belonging in our holdings, while safely providing the\nAmerican people with the opportunity to discover, use, and learn from our documentary heritage.\n\nBackground\nThe Inspector General Act of 1978, as amended, along with the Inspector General Reform Act of\n2008, establishes the OIG\xe2\x80\x99s independent role and general responsibilities. The Inspector General\nreports to both the Archivist of the United States and the Congress. The OIG evaluates NARA\xe2\x80\x99s\nperformance, makes recommendations for improvements, and follows up to ensure economical,\nefficient, and effective operations and compliance with laws, policies, and regulations. In\nparticular, the OIG:\n\n\xe2\x80\xa2\t assesses the effectiveness, efficiency, and economy of NARA programs and operations;\n\xe2\x80\xa2\t recommends improvements in policies and procedures to enhance operations and correct\n   deficiencies;\n\xe2\x80\xa2\t recommends cost savings through greater efficiency and economy of operations, alternative\n   use of resources, and collection actions; and\n\xe2\x80\xa2\t investigates and recommends legal and management actions to correct fraud, waste, abuse, or\n   mismanagement.\n\nFurther, the OIG investigates criminal and administrative matters concerning the agency, helping\nensure the safety and viability of NARA\xe2\x80\x99s holdings, customers, staff, and resources.\n\nResources\nIn FY 2014, Congress provided $4.13 million for the OIG\xe2\x80\x99s appropriation, including\nauthorization for 22 FTEs. However, mandatory spending cuts under sequestration left the\nOIG\xe2\x80\x99s FY 2013 budget at approximately $3.9 million. At the beginning of the period there were\n19 FTEs on board, but two audit positions were vacated. Currently the OIG has 17 FTEs on\nboard, including one Inspector General (currently on leave with pay), an Acting Inspector\nGeneral, one support staff, six FTEs devoted to audits, seven FTEs devoted to investigations, and\na counsel to the Inspector General.\n\nFurther, the OIG remains concerned we could lack funding to investigate an incident outside of\nWashington, DC, at the end of the fiscal year. We feel it would not be prudent to ask for\nincreased appropriated funds each year for such a contingency. Instead, we have sought a\nlimited transfer provision from NARA, so we could ask for available end-of-year funds in such a\ncircumstance. However, NARA management does not support our position and states they will\nnot request such a transfer provision.\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                            Page 6\nOctober 1, 2013 to March 31, 2014\n\x0cACTIVITIES\n\n               Involvement in the Inspector General Community\nCounsel of Inspectors General on Integrity and Efficiency (CIGIE)\nLegislation Committee\nThe Legislation Committee provides regular and ongoing communication regarding legislative\nissues and other matters of common interest between the Congress and CIGIE. Specifically, the\nCommittee provides timely information about congressional initiatives to the IG community;\nsolicits the views and concerns of the community in response to legislative initiatives and\ncongressional requests; and presents views and recommendations to congressional committees\nand staff, the Government Accountability Office, and the Office of Management and Budget on\nissues and legislation affecting the IG community. The OIG continues to serve as a member of\nthe CIGIE Legislation Committee. OIG counsel is involved in drafting the Committee\xe2\x80\x99s\ncomments to Congress on potential legislation, and in other aspects of the Committee\xe2\x80\x99s work.\n\nFederal Audit Executive Council (FAEC)\nThe Assistant Inspector General for Audits (AIGA) continued to serve as a representative to the\nFAEC. The AIGA attended FAEC\xe2\x80\x99s meeting to discuss topics such as financial statement audit\nissues, audit training, opinion reports on internal controls, and information security.\n\nAssistant Inspectors General for Investigations (AIGI) Committee\nThe AIGI Committee is a standing subcommittee to the CIGIE Investigations Committee. As a\nmember, the AIGI helps provide guidance, assistance, and support to the CIGIE Investigations\nCommittee in the performance of its duties. In addition, the AIGI Committee serves as a conduit\nfor suggestions, issues, and concerns affecting the OIG investigations community.\n\nInvestigations Committee Program Fraud Civil Relief Act Working Group\nAs a member of the Investigations Committee Program Fraud Civil Relief Act (PFCRA)\nworking group, the OIG counsel continued to contribute to promoting the use of PFCRA\nthroughout the IG community. A PFCRA manual has been produced by the Working group and\nadopted for IG-wide use.\n\nCouncil of Counsels to Inspectors General (CCIG)\nThe OIG counsel continues to be an active member of the CCIG. The CCIG provides a rich\nenvironment wherein legal issues can be raised and interpretations can be presented and\nreviewed with an experienced network of OIG lawyers.\n\nCIGIE Training Institute\nThe OIG counsel continued to work with the CIGIE Training Institute to develop and teach the\nIG Authorities course.\n\nWhistleblower Ombuds Working Group (WOWG)\nIn accordance with the spirit of the Whistleblower Protection Enhancement Act of 2013, the OIG\nis forming a whistleblower ombuds program, and is working with the WOWG to learn best\npractices and implement an effective training program.\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                           Page 7\nOctober 1, 2013 to March 31, 2014\n\x0cACTIVITIES\n\n                   Management Assistance and Other Work\n\xe2\x80\xa2\t Provided comment and input into several NARA directives and regulations covering a\n   variety of topics. This included NARA\xe2\x80\x99s Anti-Harassment Program, NARA 396; NARA\xe2\x80\x99s\n   Enterprise Governance, Risk, and Compliance Program, NARA 160; NARA\xe2\x80\x99s Internal\n   Control Program, NARA 161; Use and Monitoring of NARA Office and Information\n   Technology Equipment and Resources, NARA 802; and others.\n\n\xe2\x80\xa2\t Assisted NARA during the government shutdown. The Assistant Inspector General for\n   Investigations was designated as an exempt employee and continued to provide necessary\n   OIG functions during the funding hiatus.\n\n\xe2\x80\xa2\t Provided input to the draft Equal Employment Opportunity Commission Management\n   Directive 110.\n\n\xe2\x80\xa2\t Worked with NARA to publish a new System of Records Notice (SORN) in the Federal\n   Register for OIG Investigative Records.\n\n\xe2\x80\xa2\t Responded to multiple requests for OIG records under the Freedom of Information Act\n   (FOIA), and coordinated with the Department of Justice (DOJ) on FOIA requests pertaining\n   to joint work between the DOJ and NARA.\n\n\xe2\x80\xa2\t Reviewed legislative and OMB proposals and provided feedback to appropriate entities, and\n   reviewed newly passed legislation for its affect on NARA and the NARA OIG.\n\n\n                               Peer Review Information\n\nPeer Review of NARA OIG\xe2\x80\x99s Audit Organization\nThe NARA OIG audit function was last peer reviewed by the Federal Communications\nCommission (FCC) OIG in accordance with the Government Accountability Office\xe2\x80\x99s\nGovernment Auditing Standards (GAS) and CIGIE guidelines. FCC OIG concluded, \xe2\x80\x9cthe\nsystem of quality control for the audit organization of NARA OIG in effect for the year ended\nSeptember 30, 2010, has been suitably designed and complied with to provide NARA OIG with\nreasonable assurance of performing and reporting in conformity with applicable professional\nstandards in all material respects. Federal audit organizations can receive a rating of pass; pass\nwith deficiencies, or fail. NARA OIG has received a peer review rating of pass.\xe2\x80\x9d There are no\noutstanding recommendations from this review. The Federal Deposit Insurance Corporation\nOIG began a peer review of NARA\xe2\x80\x99s audit organization during this reporting period.\n\n\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                              Page 8\nOctober 1, 2013 to March 31, 2014\n\x0cACTIVITIES\n\nPeer Review of NARA OIG\xe2\x80\x99s Office of Investigations\nNARA OIG\xe2\x80\x99s Office of Investigations was last peer reviewed by the National Science\nFoundation in May 2008. There are no outstanding recommendations from this review.\n\nIn February 2012, the Attorney General of the United States granted the Inspector General\xe2\x80\x99s\napplication for statutory law enforcement authority. Accordingly, the OI has begun preparations\nfor the now mandatory peer review that must be completed within three years of being granted\nstatutory authority.\n\n                          Response to Congressional Items\n\nFederal Information Security Management Act (FISMA) Report\n\nAs required by FISMA, the OIG conducted an independent assessment of the effectiveness of\nNARA\xe2\x80\x99s information security program and practices. The scope of the assessment encompassed\n11 program areas identified by the Office of Management and Budget (OMB) and the\nDepartment of Homeland Security (DHS). Overall we found NARA has not established an\ninformation security program consistent with FISMA, OMB policy, or NIST guidelines in any of\nthe 11 program areas. Many of the same weaknesses identified during the FY 2012 FISMA\nevaluation have not been addressed because NARA has not defined the policy and procedures to\ngovern these areas. Policy and procedures are the starting point toward building an established\ninformation security program consistent with FISMA\xe2\x80\x99s requirements, OMB policy, and NIST\nguidelines. We remain concerned NARA has decided to reclassify and downgrade the material\nweakness in information security at a time when significant improvements and focused efforts on\nthese 11 areas are still needed.\n\n\nThe Government Charge Card Abuse Prevention Act of 2012, Public Law No.\n112-194\nThis law mandates inspectors general conduct periodic risk assessments of agency purchase and\ntravel cards to develop a plan to determine the scope, frequency and number of audits or reviews\nnecessary. The law also requires inspectors general to annually report to the OMB Director on\nthe agency progress in implementing audit recommendations. We reported, at the end of FY\n2013, NARA had four outstanding recommendations from two OIG audit reports from FYs 2008\nand 2011.\n\n\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                           Page 9\nOctober 1, 2013 to March 31, 2014\n\x0cAUDITS\n\n                                                 Audit Overview\n\nThis period, we issued:\n\n     \xe2\x80\xa2 four final audit reports,\n\n     \xe2\x80\xa2 one audit memorandum, 1 and\n\n     \xe2\x80\xa2 two management letters. 2\n\nWe completed fieldwork on audits of:\n\n    \xe2\x80\xa2\t NARA\xe2\x80\x99s Capital Planning and Investment Control Process (CPIC), determining if\n       NARA\xe2\x80\x99s CPIC process and procedures were adequate, efficient, and in compliance with\n       governing NARA policy and applicable Federal laws and regulations.\n\n    \xe2\x80\xa2\t NARA\xe2\x80\x99s Compliance with the Improper Payment Elimination and Recovery Act of 2010.\n\n    \xe2\x80\xa2\t NARA\xe2\x80\x99s Enterprise Wireless Access, assessing whether NARA\xe2\x80\x99s policies, procedures,\n       and technical controls provide adequate security over its wireless networks.\n\n    \xe2\x80\xa2\t Special Telework Arrangements at NARA, determining if these arrangements were\n       administered in accordance with NARA policy and procedures.\n\n    \xe2\x80\xa2\t Selected Aspects of NARA\xe2\x80\x99s Digitization Program, determining if management controls\n       adequately address agency and customer needs, and ensure greater access to NARA\n       holdings.\n\nWe initiated or continued work on audits of:\n\n    \xe2\x80\xa2\t NARA\xe2\x80\x99s Mobile Device Management, evaluating NARA\xe2\x80\x99s efforts to secure and deploy\n       mobile devices on the NARA network, and to maintain and adequately dispose of them.\n\n    \xe2\x80\xa2\t Conference-Related Activities and Expenses, to evaluate internal controls over NARA-\n       funded conference-related spending and the reasonableness of conference expenses.\n\n    \xe2\x80\xa2\t Specially Protected Records (SPRs), to determine whether offices are protecting,\n       controlling, handling, and accounting for SPRs in accordance with NARA guidance.\n\n\n\n\n1 An audit memorandum is used when an audit is performed and there are either no findings or the findings are insignificant.\n2 Management letters are used to address issues which need to be quickly brought to the Archivist\xe2\x80\x99s or management\xe2\x80\x99s attention.\nThey do not follow GAO\xe2\x80\x99s generally accepted government auditing standards (GAGAS), nor are they intended to.\n\nSEMIANNUAL REPORT TO CONGRESS                                                                                         Page 10\nOctober 1, 2013 to March 31, 2014\n\x0cAUDITS\n\n                                    Audit Summaries\n\nManagement & Oversight of NARA\xe2\x80\x99s Energy Savings Performance Contracts\nThe National Energy Conservation Policy Act of 1978, as amended, established the authority for\nFederal agencies to enter into multiyear contracts with energy service providers for the\nimplementation of energy savings measures in exchange for a share of the energy savings\ndirectly resulting from their implementation. Since 1999, NARA has awarded six of these\nEnergy Savings Performance Contracts (ESPCs), with a total value of over $24 million. We\naudited NARA\xe2\x80\x99s use of ESPCs to determine if the contracts were adequate, efficient, and\nresulted in appropriate benefits for NARA.\n\nOur audit found contract management efforts were not fully conducted in accordance with\nestablished requirements and guidelines. Specifically, we found insufficient management of the\nawards, savings verification, payments, reporting, funding, and early cancellations of such\ncontracts. As a result, NARA has made questionable payments exceeding $8.4 million, and\nplaced the success of its ESPC energy efficiency efforts and investments at risk.\n\nWe made 10 recommendations to more thoroughly ensure NARA\xe2\x80\x99s efforts meet established\nESPC requirements and properly verify the guaranteed energy savings of its investments (OIG\nAudit Report #14-01, dated January 30, 2014.)\n\nNARA\xe2\x80\x99s Payments to Federal Agencies (excluding GSA)\nNARA contracts with various Federal agencies for security-related and building-specific services\nusing a variety of contract vehicles. In FY 2012 and FY 2011 NARA paid $7,886,775 and\n$7,549,262, respectively, in rental payments to Federal agencies. Other agreements with Federal\nagencies, including payroll and personal services, totaled $5,295,948 in FY 2012.\n\nWe reviewed NARA payments to Federal agencies, other than GSA, to ensure obligations were\nappropriate and NARA received services in accordance with the contracts. Overall, for the\nagreements reviewed, the obligations appeared to be appropriate, and NARA appeared to receive\nservices in accordance with the contract agreements. However, we identified a few weaknesses\nin internal controls which require management attention:\n\n   \xe2\x80\xa2\t NARA authorized some invoices without verifying the amounts were consistent with\n      supporting documentation from GSA.\n   \xe2\x80\xa2\t NARA authorized payment of building-specific security charges without supporting\n      documentation, and without knowing if the correct amount was charged.\n   \xe2\x80\xa2\t The point of contact on one contract agreement could not verify or document the\n      individual dates guard services were requested, or when these services were performed.\n      These factors are necessary to support the authorization to pay the invoice.\n\nWe made four recommendations which we believe, once implemented, will address the\nweaknesses cited in this report. Management concurred with each recommendation and initiated\nprompt corrective actions. (OIG Audit Report #14-07, dated April 2, 2014.)\n\nSEMIANNUAL REPORT TO CONGRESS                                                           Page 11\nOctober 1, 2013 to March 31, 2014\n\x0cAUDITS\n\nUse of Presidential Library Facilities by Outside Organizations\nNARA\xe2\x80\x99s building-use regulations, 36 CFR 1280.94, outline the permissible and prohibited uses\nof Presidential library facilities by other groups. These regulations require outside organizations\napply to use library space by writing to the library director and submitting an Application for Use\nof Space in Presidential Libraries, NA Form 16011 (16011). This audit reviewed the use of\n16011s and sought to determine whether Presidential libraries were adhering to governing\nNARA policy and applicable Federal laws and regulations in regards to the use of their facilities\nby outside organizations.\n\nIn general, it appeared the Presidential libraries were complying with the intent of 36 CFR\n1280.94. However, we found:\n\n   \xe2\x80\xa2\t Presidential libraries do not always require outside groups to complete a 16011. By not\n      requiring a completed 16011, these Presidential Libraries are not adhering to 36 CFR\n      1280.94(c). In addition, the lack of a completed 16011 removes a control helping ensure\n      groups do not improperly use library facilities, and increases the difficulty of reviewing if\n      groups adhered to the regulations.\n   \xe2\x80\xa2\t 16011s associated with events were not properly completed. Not properly completing the\n      form violates 36 CFR 1280.94(c), and hinders the ability to review and determine if\n      regulations were followed.\n   \xe2\x80\xa2\t Some events appeared to involve activities of a religious nature. These events may have\n      violated 36 CFR 1280.94(d)(4), which states use of the auditoriums and other public\n      places will not be authorized for any sectarian or similar purpose. It was not possible to\n      determine conclusively if these events did or did not involve religious or sectarian\n      activities based solely upon the description of the events found on the 16011 form. Thus,\n      a lack of appropriate documentation, an important internal control activity, hindered our\n      ability to ascertain whether or not these events adhered to 36 CFR 1280.94\n\nWe made five recommendations to improve the processes for allowing outside groups to use\nPresidential Libraries. Management concurred with all five recommendations. (OIG Audit\nReport #14-04, dated March 5, 2014.)\n\nNARA Field Offices Acquisition Activities\n\nWe assessed whether field office acquisitions were awarded in accordance with the Federal\nAcquisition Regulations (FAR) and other authorities, and the adequacy of management controls\nover them. However, increased attention is needed to further strengthen acquisition activity\nwithin NARA field offices. Specifically, we found:\n\n   \xe2\x80\xa2\t Field office Contracting Officers (COs) did not receive required training prior to\n      obtaining their CO certificate of appointment. In addition, proficiency training was not\n      taken by all field COs in order to maintain their CO authority.\n\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                              Page 12\nOctober 1, 2013 to March 31, 2014\n\x0cAUDITS\n\n   \xe2\x80\xa2\t Completed contracts were not closed out in a timely manner in accordance with the\n      FAR.\n   \xe2\x80\xa2\t All field office contracts are not being reviewed by the field office support team\n\n      for compliance with the FAR prior to award. \n\n   \xe2\x80\xa2\t NARA guidance for approval of small and small disadvantaged business utilization\n      exceptions is not consistent.\n\nWe made four recommendations to further strengthen oversight of acquisition activity at NARA\nfield offices. Management concurred with all four recommendations. (OIG Audit Report #14\xc2\xad\n05, dated March 11, 2014.)\n\nNARA\xe2\x80\x99s FY 2013 Financial Statement Review\n\nWe contracted with Cotton & Cotton LLP (C&C), a public accounting firm, to audit NARA\xe2\x80\x99s\nConsolidated Balance Sheets as of September 30, 2013, and 2012, and the related Statements of\nNet Cost, Changes in Net Position, and Budgetary Resources. C&C issued NARA an\nunqualified opinion on NARA\xe2\x80\x99s FY 2013 and 2012 financial statements. C&C disclosed no\nmaterial weaknesses, significant deficiencies, or instances of noncompliance with certain\nprovisions of laws and regulations. There were no recommendations.\n\nWe monitored C&C to ensure the audit was conducted in accordance with the contract, and in\ncompliance with the Government Accountability Office\xe2\x80\x99s Government Auditing Standards and\nother authoritative references, such as OMB Bulletin No. 07-04, Audit Requirements for Federal\nFinancial Statements. Our review disclosed no instances wherein C&C did not comply, in all\nmaterial respects, with the contract or GAO\xe2\x80\x99s Government Auditing Standards. (OIG Audit\nReport Memorandum #14-02.)\n\n\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                          Page 13\nOctober 1, 2013 to March 31, 2014\n\x0cINVESTIGATIONS\n\n                                       Investigations\n\nThe Office of Investigations (OI) receives and evaluates complaints, and conducts investigations\nrelated to fraud, waste, and abuse in NARA programs and operations. This includes identifying\nand recovering alienated NARA holdings. Investigations showing violations of Federal law,\nNARA Directives, or contract terms/specifications may result in administrative sanctions, civil\naction, or criminal prosecution. Such actions can include employee terminations, contractor\ndebarments, and court-imposed prison terms, probation, fines, or restitution. The OI may also\nissue Management Letters detailing systemic or timely problems or vulnerabilities, and offer\nrecommendations on how to correct them.\n\nOI activities are broadly divided into two groups: general investigations and archival recovery\ninvestigations. General investigations encompass the entire spectrum of criminal and\nadministrative investigations, including such topics as procurement fraud, employee misconduct,\nand cyber crimes. Archival recovery investigations revolve around protecting NARA\xe2\x80\x99s historical\nholdings and returning items missing from NARA\xe2\x80\x99s collection.\n\nThe OI has statutory law enforcement authority, and is presently staffed with six 1811 series\ncriminal investigators and an investigative archivist. The OI is based in the National Archives in\nCollege Park, MD (Archives II), but conducts investigations at all NARA locations across the\ncountry. The OI maintains a close relationship with NARA Security Services to coordinate law\nenforcement efforts impacting NARA. Specifically, the investigative archivist routinely\ncoordinates efforts with the Holdings Protection Team, a NARA Security Services unit charged\nwith proactively protecting and securing NARA holdings. We also liaise with the Department of\nJustice (DOJ), the OIG community, and other law enforcement agencies and organizations.\n\nInvestigative Initiatives\n\nThe OI conducts Investigative Initiatives to proactively identify and test vulnerabilities in NARA\nprograms and operations, and address other OIG concerns. As part of this program, the OI\nperiodically assesses the agency\xe2\x80\x99s vulnerability to fraud, archival theft, and loss of sensitive\nelectronic data. These assessments may also be undertaken to review such things as employee\nconflicts of interest, systemic weaknesses in operations and controls, incident responses taken by\nNARA, and other administrative and criminal topics. Assessments are limited in scope to\nquickly identify relevant information and transmit it to NARA management for appropriate\nconsideration or action.\n\nThis period, the OI conducted one assessment of critical incident law enforcement response plans\nat a NARA facility. The OI issued a report to NARA management, and a response is pending.\nLast period, the OI issued two Assessment Reports related to security at a Presidential library\nand researcher registration procedures. However, responses from NARA are still pending.\n\nThe OI also collects information and documents general investigative activity in Intelligence\nFiles to improve our own efficiency and enhance the OI\xe2\x80\x99s operational knowledge of NARA\nprograms, operations, and facilities. This period, the OI opened Intelligence Files related to\narchival recovery, information security, and computer crimes.\n\nSEMIANNUAL REPORT TO CONGRESS                                                             Page 14\nOctober 1, 2013 to March 31, 2014\n\x0cINVESTIGATIONS\n\nOverall Activity Summary\n\nAt the end of the last reporting period, 15 investigations were open. During this reporting\nperiod, the OI opened 12 investigations and closed 7. The OI referred one of the closed\ninvestigations to NARA for action and five for information only. At the end of this reporting\nperiod, 20 investigations were open.\n\n                                    General Investigations\nUpdates on Previously Reported General Investigations\n\nRemoval and Destruction of Records\nTwo former NARA employees destroyed Federal records at the National Personnel Records\nCenter in St. Louis, MO. Each pleaded guilty to one misdemeanor count of theft of government\nproperty, and both were sentenced to two years probation.\n\nPotential Transportation Benefit Fraud\nAfter finding no evidence of criminal or administrative misconduct, the OI closed an\ninvestigation into potential transportation benefit fraud.\n\nAllegations of Fraud\nThe OI continues to investigate allegations a private entity did not comply with elements of a\ncooperative agreement.\n\nTheft of Funds from a Presidential Library\nThe OI continues to work jointly with local enforcement to investigate allegations a former\nNARA employee stole funds from a Presidential library.\n\nNew General Investigation Highlights\n\nResearcher Misconduct\nThe OI investigated allegations a private researcher concealed documents on their person and left\na NARA facility. The OI unsubstantiated the allegation, but found the researcher had in fact\nconcealed personal papers under their clothing before leaving a NARA research room.\n\nMissing Laptop Computers\nThe OI initiated an investigation into a report from NARA management that three laptop\ncomputers are missing from NARA inventory.\n\nUnauthorized Access to NARA Records\nThe OI initiated an investigation into allegations of unauthorized access to NARA holdings at a\nregional archives and records center.\n\n\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                             Page 15\nOctober 1, 2013 to March 31, 2014\n\x0cINVESTIGATIONS\n\n                    Archival Recovery Team (ART) Activity\n\nART is a concept that embodies the OI\xe2\x80\x99s focus on recovering alienated Federal records. ART is\nthe teaming of agents with the expertise of an investigative archivist. These teams often work\nwith NARA archivists, the Holdings Protection Team, and other law enforcement organizations\nresponsible for investigating thefts, loss, or trafficking of cultural artifacts and fine art.\n\nThefts\n\nART investigates all allegations of theft of NARA holdings. Thefts may be internal or external\nand involve NARA employees, contractors, interns, and researchers. ART refers all instances of\nsubstantiated theft to the DOJ for potential criminal prosecution. ART also refers internal thefts\nto NARA management for administrative action.\n\nNon-criminal Recoveries\n\nIndividuals may intentionally or unknowingly alienate a Federal record before it is accessioned\ninto NARA\xe2\x80\x99s holdings. Once identified, alienated records are subject to recovery through a legal\nprocess known as replevin, a common law action to recover property unlawfully taken.\n\nIf ART receives allegations a record or item was alienated, our investigative archivist helps\nestablish if the record should have been accessioned into NARA\xe2\x80\x99s holdings. If the record should\nhave come to NARA, ART refers this substantiation to the NARA Office of General Counsel\n(NGC) to begin the replevin process or other methods of recovering the document, such as\nvoluntary donation. If the holder of the document is unwilling to release or donate a document,\nNGC may also pursue recovery through the DOJ civil division.\n\nProactive\n\nTips from our public sentinels are critical to successfully recovering our nation\xe2\x80\x99s records. To\nleverage the power of their knowledge, ART engages in a variety of initiatives to establish\nrelationships within the historical artifacts community, and the public at large. Several times\nevery year, ART staffs a display at various historical artifact shows throughout the country. In\nthis reporting period, ART attended the Low Country Civil War Show in Charleston, South\nCarolina, and the Washington Antiquarian Book Show.\n\nART maintains a Facebook page updating the public about upcoming shows and ART\nhappenings, along with other newsworthy items about document thefts, investigations, and\nrecoveries at NARA and other institutions worldwide. ART received 5,196 \xe2\x80\x9clikes\xe2\x80\x9d on its\nFacebook page this reporting period. Visit the site at www.facebook.com/archivalrecoveryteam.\n\nIn this reporting period, ART also relied upon a NARA volunteer to search an internet auction\nsite for Federal documents. Finally, ART reviews NARA holdings, identifying items at risk for\ntheft and making recommendations to NARA about what records should be restricted or\nprotected.\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                             Page 16\nOctober 1, 2013 to March 31, 2014\n\x0cINVESTIGATIONS\n\nMissing Documents\n\nWorking in conjunction with NARA, ART has established a listing of documents identified as\nmissing from NARA holdings. Some of these documents are known to have been stolen, but\nhave never been recovered. Others have simply been identified by NARA archivists or\nresearchers as missing. In both cases, ART has little or no evidence to work with, so the\ndocuments are listed on the NARA website in the hope of receiving viable leads to recover these\nmaterials. During this period, ART received 12 complaints from the public and NARA staff\nabout Federal items for sale through online auction sites. ART\xe2\x80\x99s Missing Documents email also\nreceived five inquiries this period.\n\nPlease visit the website at www.archives.gov/research/recover/missing-documents.html to learn\nmore. If you have information about any documents listed on the site or believe you have seen a\nFederal document in private hands, please email ART at MissingDocuments@nara.gov.\n\nUpdates on Previously Reported ART Investigations\n\nDisposition of Stolen Historical Materials\nAs a result of a joint investigation with the Federal Bureau of Investigation, two subjects pleaded\nguilty to conspiracy and theft of historical documents. The subjects stole materials from\nnumerous museums and other institutions, including seven reading copies of Presidential\nspeeches from the Franklin D. Roosevelt Library. Both subjects are currently incarcerated in\nFederal prisons. This period, the OI transferred 766 additional items to private repositories\nthroughout the country.\n\nClassified Material Unaccounted For at a NARA Records Center\nAn OI investigation into potentially missing classified records from a NARA records center was\nclosed pending completion of inventory validation of the facility\xe2\x80\x99s classified storage area.\nNARA now reports they identified 5,783 boxes with issues (including some potentially missing),\nbut have resolved the status of 4,746 (82%) of those boxes. NARA\'s work to resolve the status\nof the remaining 1,037 continues, and the OI will monitor the situation to determine whether to\nre-open or close-final this investigation.\n\nDocument Signed by Revolutionary War General\nART had previously discovered a document signed by Revolutionary War General Peter\nMuhlenberg for sale. The document is consistent with holdings at the NARA Mid-Atlantic\nregion. ART previously referred this document to management for recovery, but additional\ninvestigation is now necessary to determine to whom the document was sold. The investigation\nis ongoing.\n\nRecovery of a U.S. Army Continental Command Record\nART recovered a Weekly Station & Effective Force Report for the 2nd Cavalry Division, dated\nOctober 2, 1865, and authored by Major General George Custer. The report had been listed on the\nMissing Documents webpage, and an investigation is ongoing.\n\n\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                              Page 17\nOctober 1, 2013 to March 31, 2014\n\x0cINVESTIGATIONS\n\nPresidential Pardons\nThe OI initiated an investigation involving two Presidential pardons: one has been listed on the\nMissing Documents list, and the other may also have been alienated from NARA holdings.\n\nMissing Historical World War II Movies\nThe OI continues investigating allegations historical World War II movies are missing from the\nNational Archives in College Park, MD.\n\nPage Missing from a U.S. Naval Deck Log\nBased on an OI referral, NARA recovered a page missing from a deck log for the U.S.S.\nMalvern. The page documents a visit by President Abraham Lincoln to the city of City Point,\nVirginia, on March 25-26, 1865.\n\nNew ART Investigative Highlights\n\nHoldings from an Affiliated Archive for Sale on Internet Auction Site\nThe OI received allegations records from an affiliated archive were for sale on an internet\nauction site. A joint investigation is ongoing.\n\nRecovery of Document from Civil War Prize Case File\nBecause of a report from a private researcher, the OI recovered a letter dated August 12, 1862,\nfrom the Pennsylvania Civil War Prize case file for the CSS Defiance. An investigation is\nongoing.\n\nReferrals for Recovery of Alienated Documents\nThe following referrals either remained ongoing, or were acted on during this reporting period.\n\n   \xe2\x80\xa2\t Life-Saving Station Log Book\n      A NARA employee found a life-saving station log book at another institution. The log\n      book is consistent with holdings at the NARA Mid-Atlantic Region, and NARA\n      management and NGC have agreed to seek recovery.\n\n   \xe2\x80\xa2\t Alienated State Department Document for Sale\n      A NARA researcher found a document for sale that may be part of a State Department\n      record. The historically significant document contains handwritten annotations from\n      President Franklin D. Roosevelt. NARA management is considering recovery.\n\n   \xe2\x80\xa2\t Historic Letter for Sale\n      ART found a letter for sale believed to have been alienated from NARA holdings. The\n      letter is dated May 12, 1861, and concerns troops being fired upon by a mob in St. Louis,\n      MO. NARA management is considering recovery.\n\n   \xe2\x80\xa2\t Records of the U.S. Coast Guard\n      Historical records related to Coast Guard activities in Philadelphia during World War II\n      were sold online. These records are consistent with those held in the Mid-Atlantic\n      Region, and NARA management is considering recovery.\n\nSEMIANNUAL REPORT TO CONGRESS                                                             Page 18\nOctober 1, 2013 to March 31, 2014\n\x0cINVESTIGATIONS\n\n   \xe2\x80\xa2\t Department of Interior Photographs\n      Photographic negatives commissioned by the U.S. Department of Interior were donated\n      to a public university. NARA management is considering recovery.\n\n   \xe2\x80\xa2\t Classified Documents in Personal Papers\n      Classified documents were found among personal papers donated to a public university.\n      Presidential library staff members are reviewing the documents for declassification and to\n      identify any which should be among NARA\'s holdings.\n\n                                    Computer Crimes Unit\n\nIn 2005, NARA OIG established a Computer Crimes Unit (CCU) within the OI. The CCU\nprovides laboratory and field support for digital evidence seized or surrendered to the NARA\nOIG or other law enforcement agencies working with us. Digital evidence forensic support\nservices can include, among other things, computer forensic examinations on seized digital\nmedia, on-site computer hard drive imaging, expert witness testimony, data analysis to determine\nevidentiary value, and technical training. The CCU is staffed by one full-time 1811 series\ncomputer crimes investigator.\n\nDuring this reporting period, the CCU completed forensic examinations in support of criminal\nand administrative investigations related to computer misuse, suspected access fraud, and threats\nagainst NARA employees. The CCU continues to work with the NARA Inappropriate Use\nWorking Group, the Office of General Counsel, IT Security, and the Information Management\nBranch to provide independent oversight and help ensure NARA assets are being utilized\nproperly and within the guidelines set for acceptable use.\n\nNew CCU Investigative Highlights\n\nThreatening Behavior by a NARA Employee\nThe OI closed a joint investigation into allegations a NARA employee made threatening\ncomments to a NARA manager and misused a government computer. The OI substantiated the\nemployee used a NARA computer to store pornography, and the employee resigned.\n\nProblems with IT Infrastructure at a NARA Facility\nThe CCU initiated an investigation into allegations of problems with IT Infrastructure at a\nNARA facility.\n\nMisuse of a NARA Computer\nThe CCU independently developed evidence a NARA employee misused a NARA computer to\nstore pornography. An investigation is ongoing.\n\n\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                             Page 19\nOctober 1, 2013 to March 31, 2014\n\x0cINVESTIGATIONS\n\n                                         OIG Hotline\nThe OIG Hotline provides a confidential channel for reporting fraud, waste, abuse, and\nmismanagement to the OIG. In addition to receiving telephone calls at a toll-free Hotline\nnumber and letters to the Hotline post office box, we also accept email communication from\nNARA\xe2\x80\x99s internal network or the Internet through the Hotline email system. Walk-ins are always\nwelcome. Visit http://www.archives.gov/oig/ for more information, or contact us:\n\n   \xe2\x80\xa2   By telephone\n       Washington, DC, Metro area: (301) 837-3500 \n\n       Toll-free and outside the Washington, DC, Metro area: (800) 786-2551 \n\n   \xe2\x80\xa2   By mail\n       NARA OIG Hotline\n       P.O. Box 1821 \n\n       Hyattsville, MD 20788-0821 \n\n   \xe2\x80\xa2   By email\n       oig.hotline@nara.gov\n   \xe2\x80\xa2   By Fax\n       (301) 837-0879\n   \xe2\x80\xa2   By online referral form\n       http://www.archives.gov/oig/referral-form/index.html\n\nThe Office of Investigations promptly and carefully reviews calls, letters, and email to the\nHotline. We investigate allegations of suspected criminal activity or civil fraud and conduct\npreliminary inquiries on non-criminal matters to determine the proper disposition. Where\nappropriate, referrals are made to OIG audit staff, NARA management, or external authorities.\nSubstantive Hotline contacts are captured as complaints in the Office of Investigations.\n\n                            Hotline Activity for the Reporting Period\n                    Hotline contacts received                                  4\n                    Hotline contacts opened to Complaints                      1\n                    Hotline contacts referred to other entity                  3\n                    Hotline contacts closed to file                            0\n                    Hotline contacts referred to OIG audit staff               0\n                    Hotline contacts referred to NARA management               0\n\n\n                         Contractor Self Reporting Hotline\nAs required by the Federal Acquisition Regulation, a web-based form allows NARA contractors\nto notify the OIG, in writing, whenever the contractor has credible evidence a principal,\nemployee, agent, or subcontractor of the contractor has committed a violation of the civil False\nClaims Act or a violation of Federal criminal law involving fraud, conflict of interest, bribery, or\ngratuity violations in connection with the award, performance, or closeout of a contract or any\nrelated subcontract. The form can be accessed through the OIG\xe2\x80\x99s home page, or found directly\nat http://www.archives.gov/oig/contractor-form/index.html.\n\nSEMIANNUAL REPORT TO CONGRESS                                                               Page 20\nOctober 1, 2013 to March 31, 2014\n\x0cSIGNIFICANT DISAGREEMENTS\n\n           Disagreements with Significant Management Decisions\nUnder the IG Act, as amended, the OIG reports \xe2\x80\x9cinformation concerning any significant\nmanagement decision with which the Inspector General is in disagreement.\xe2\x80\x9d The following\ndisagreements were first reported in our Semi-Annual Report to Congress for the period October\n11, 2012 to March 31, 2013. However, as little has changed in this reporting period, they remain\nan issue.\n\nIn November 2013, we reviewed NARA\xe2\x80\x99s FY 2013 Draft Federal Manager\xe2\x80\x99s Financial Integrity\nAct (FMFIA) statement. We disagreed with the assurance statement for Section 2 of the FMFIA\nreporting requirements. While the agency had introduced an entity-wide Internal Control\nProgram, the program had not developed enough to clearly reflect NARA\xe2\x80\x99s internal control\nenvironment. Without a fully implemented program able to identify, document, and test risks\nand controls for each critical function, the agency is not able to identify all its existing risks and\npotential weaknesses. As a result the agency\xe2\x80\x99s FY 2013 assurance statement currently\nunderreports material weaknesses and does not accurately reflect the breadth of risks in NARA\xe2\x80\x99s\nProcessing Program, Electronic Records Management, and Information System and Technology\nSecurity.\n\nNARA\xe2\x80\x99s Processing Program\n\nNARA\xe2\x80\x99s FY 2012 assurance statement downgraded the Processing Program from a material\nweakness to a reportable condition. NARA made this decision based on the current state of\nFederal records processing, the strides the agency has made in the last six years, and the current\nfocus on reengineering processing work. The agency also made the decision to remove the\nprocessing of Presidential records from this weakness since they believed the processes and\nrequirements with processing these records are distinctly different from Federal records.\n\nBased on our assessment, NARA\xe2\x80\x99s Processing Program should still be carried as a material\nweakness for FY 2013. Our FY 2013 audit 3 found although NARA has made significant strides\nin reducing the processing backlog since our last audit in 2007, additional effort is still needed to\nreduce the material weakness and strengthen NARA\xe2\x80\x99s Processing Program. Specifically, we\nreported the strategic direction of processing needs to include an overall agency policy and\ndefinition, adequate backlog reduction plans for Research Services field locations, plans for\nincreased processing progress in the Presidential libraries, improved processing staff utilization,\nand a realistic and attainable processing goal. As a result, a processing backlog continues to\nplace records at risk, increasing the time for reference requests, impairing the agency\xe2\x80\x99s ability to\ndescribe the records online, and is limiting access to records.\n\nNARA\xe2\x80\x99s Electronic Records Management Program\n\nNARA reported its Electronic Records Management program as a reportable condition instead of\na material weakness. This decision was predicated on the issuance of Presidential Memorandum\n\xe2\x80\x93 Managing Government Records and OMB Memorandum 12-18. These documents represent\n\n3 Audit Report No. 13-14, Audit of Processing Textual Records, dated September 18, 2013.\n\nSEMIANNUAL REPORT TO CONGRESS                                                                 Page 21\nOctober 1, 2013 to March 31, 2014\n\x0cSIGNIFICANT DISAGREEMENTS\n\nan Executive Branch-wide effort to reform records management policies and practices, and to\ndevelop a 21st-century framework for managing Government records. Management is using\nOMB Memorandum 12-18 to guide the development of the Chief Records Officer\xe2\x80\x99s operational\nplans for years to come, and to serve as an action plan against which NARA can monitor and\nassess progress. However, the directive does not mitigate the existing risks outlined in our 2010\naudit report OIG 10-04, NARA\xe2\x80\x99s Oversight of Electronic Records Management in the Federal\nGovernment. The report found NARA did not have adequate controls in place to protect\npermanent Federal electronic records from loss. Specifically, we reported NARA could not\nreasonably ensure permanent electronic records are being adequately identified, maintained, and\ntransferred to NARA in accordance with federal regulations. Until sufficient controls have been\nimplemented to minimize these risks, NARA should classify this program as a material\nweakness.\n\nNARA\xe2\x80\x99s Information System and Technology Security\n\nThe Information System and Technology Security (IS&TS) was downgraded by management in\nFY 2013 to a reportable condition from a material weakness. This decision was based on\nmanagement\xe2\x80\x99s assertion various processes have been revamped to address prior\nrecommendations, including application of a new risk-ranking methodology, and instituting\nmetrics to monitor progress. We believe, as we did in previous years, management\xe2\x80\x99s assessment\ndoes not represent the true material weakness. Actions taken to risk-rank open\nrecommendations, and to develop metrics to track how Information Service is managing\nrecommendations, is not sufficient to correct the underlying problems continuing to plague\nNARA\xe2\x80\x99s IS&TS. The underlying issue is not NARA\xe2\x80\x99s progress in closing open\nrecommendations, but rather its inability to successfully establish a program that identifies,\nreports, and mitigates security concerns. Further, the decision to downgrade IS&TS cannot be\naccurately made without first having results from an Internal Control Program that adequately\nsupport the claimed risks, controls, and weaknesses.\n\n\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                             Page 22\nOctober 1, 2013 to March 31, 2014\n\x0cTOP TEN MANAGEMENT CHALLENGES\n\n                                         Overview\n\nUnder the authority of the Inspector General Act, the NARA OIG conducts and supervises\nindependent audits, investigations, and other reviews to promote economy, efficiency, and\neffectiveness; and to prevent and detect fraud, waste, and mismanagement. To fulfill our mission\nand help NARA achieve its strategic goals, we have aligned our programs to focus on areas we\nbelieve represent the agency\xe2\x80\x99s most significant challenges. We have identified those areas as\nNARA\xe2\x80\x99s top ten management challenges.\n\n1. Electronic Records Archives\nNARA initiated the Electronic Records Archive (ERA) program in order to address the challenge\nof ingesting, preserving and providing access to our nation\'s electronic records for as long as\nneeded. However, virtually since inception the program has been fraught with delays, cost\noverruns, and technical shortcomings and deficiencies identified by our office and the\nGovernment Accountability Office (GAO). In August 2010, the Office of Management and\nBudget (OMB) placed ERA on its high-priority list of 26 high-risk Federal IT projects. On\nSeptember 30, 2011, the development contract between NARA and Lockheed Martin\nCorporation concluded. However, many core requirements were not fully addressed, and ERA\nlacks the originally envisioned functionality.\n\nThe program is now in an Operations and Maintenance (O&M) phase under a 10-year, $240\nmillion contract with IBM. The O&M tasks to be performed by IBM, under a firm-fixed-price\n(FFP) arrangement, include: help desk operations, incident management, problem management,\nhardware and software maintenance, asset and configuration management, deployment\nmanagement, capacity management, availability management, security services, backup and\nrecovery services, and ingest operations. The contract also includes replacing and updating the\ntechnologies comprising ERA, and correcting and adapting ERA functionality as necessary to\nmeet stakeholder needs. These additional tasks will be performed under Technical Direction\nLetters (TDLs), which may be either FFP or time-and-materials (T&M) arrangements.\n\nERA faces many challenges going forward, including addressing increased volumes of data to be\ningested and increased number of users to be supported now that ERA use is mandatory for all\nFederal agencies. However, the greatest challenge will be NARA\'s ability (with vendor support)\nto effectively meet stakeholder needs, while operating and maintaining a system whose\ndevelopment failed to meet core benchmark requirements and lacks originally envisioned\ncapabilities.\n\n2. Improving Records Management\nPart of NARA\xe2\x80\x99s mission is safeguarding and preserving the records of our government, thereby\nensuring people can discover, use, and learn from this documentary heritage. NARA provides\ncontinuing access to the essential documentation of the rights of American citizens and the\nactions of their government. The effective management of these records is key to accomplishing\nthis mission. NARA must work with Federal agencies to ensure the effective and efficient\nappraisal, scheduling, and transfer of permanent records, in both traditional and electronic\n\nSEMIANNUAL REPORT TO CONGRESS                                                           Page 23\nOctober 1, 2013 to March 31, 2014\n\x0cTOP TEN MANAGEMENT CHALLENGES\n\nformats. The major challenge is how best to accomplish this component of our overall mission\nwhile reacting and adapting to a rapidly changing technological environment in which\nelectronic records, particularly email, proliferate. In short, while the ERA system is intended to\nwork with electronic records received by NARA, we need to ensure the proper electronic and\ntraditional records are in fact preserved and sent to NARA in the first place.\n\nIn November 2011 a Presidential Memorandum titled Managing Government Records was\nissued. This began a new executive branch-wide effort to reform records management policies\nand practices. In August 2012, the Office of Management and Budget (OMB) issued\nMemorandum 12-18, Managing Government Records Directive, creating a robust records\nmanagement framework. This Directive requires agencies, to the fullest extent possible, to\neliminate paper and use electronic recordkeeping. It is applicable to all executive branch\nagencies and to all records, without regard to security classification or any other restriction. This\nDirective also identifies specific actions to be taken by NARA, OMB, and the Office of\nPersonnel Management (OPM) to support agency records management programs. Agencies\nmust manage all permanent electronic records in an electronic format by December 31, 2019,\nand must manage both permanent and temporary email records in an accessible electronic format\nby December 31, 2016. NARA, its Government partners, and Federal agencies are challenged\nwith meeting these deadlines, determining how best to manage electronic records in accordance\nwith this guidance, and how to make ERM and e-Government work more effectively.\n\n3. Information Technology Security\nThe Archivist identified IT Security as a material weakness under the Federal Managers\xe2\x80\x99\nFinancial Integrity Act reporting process from FY 2007 to FY 2012. In 2013, NARA\nreclassified and downgraded the material weakness in IT security to a reportable issue. This is\nconcerning when improvements and focused efforts are still needed to establish a mature\ninformation security program.\n\nAnnual assessments of NARA\xe2\x80\x99s compliance with the Federal Information Security Management\nAct have consistently identified program areas in need of significant improvement. NARA has\nsome elements of an information security program, but real progress will not be made until\nNARA establishes an effective system of internal control for information security. The\nconfidentiality, integrity, and availability of our electronic records and information technology\nsystems are only as good as our IT security infrastructure.\n\nIn FY 2012, an assessment performed by contractors identified multiple deficiencies with\nNARA\xe2\x80\x99s network architecture, many of which stem from the lack of strategic planning with\nregard to the redundancy, resiliency and overall design of the network. These issues not only\nallow for security and performance problems, but they inhibit NARA IT management from\neffectively establishing a tactical and innovative strategy for the next generation of NARA\xe2\x80\x99s\nnetwork. Each year, risks and challenges to IT security continue to be identified. NARA must\nensure the security of its data and systems or risk undermining the agency\xe2\x80\x99s credibility and\nability to carry out its mission.\n\n\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                                Page 24\nOctober 1, 2013 to March 31, 2014\n\x0cTOP TEN MANAGEMENT CHALLENGES\n\n4. Expanding Public Access to Records\nThe records of a democracy\xe2\x80\x99s archives belong to its citizens. NARA\xe2\x80\x99s challenge is to more\naggressively inform and educate our customers about the services we offer and the essential\nevidence to which we can provide access. Unfortunately, approximately 33 percent of NARA\xe2\x80\x99s\ntextual holdings have not been processed to allow efficient and effective access to these records.\nTo meet its mission, NARA must work to ensure it has the processes and resources necessary to\nestablish intellectual control over this backlog of unprocessed records.\n\nAnother challenge for NARA, given society\xe2\x80\x99s growing expectation for easy and near-immediate\naccess to information online, will be to provide such access to records created digitally (\xe2\x80\x9cborn\ndigital\xe2\x80\x9d) and to identify those textual records most in demand so they can be digitized and made\navailable electronically. NARA\'s Strategic Plan establishes Public Access as NARA\xe2\x80\x99s \xe2\x80\x9ccore\npurpose,\xe2\x80\x9d but NARA\xe2\x80\x99s digitization efforts to-date have resulted in limited success. Further,\nERA\xe2\x80\x99s diminished access capabilities compound this problem. NARA\xe2\x80\x99s role in ensuring the\ntimeliness and integrity of the declassification process of classified material held at NARA is\nalso vital to public access.\n\n5. Meeting Storage Needs of Growing Quantities of Records\nNARA-promulgated regulation 36 CFR Part 1228, \xe2\x80\x9cDisposition of Federal Records,\xe2\x80\x9d Subpart K,\n\xe2\x80\x9cFacility Standards for Records Storage Facilities,\xe2\x80\x9d requires all facilities housing Federal records\nto meet defined physical and environmental requirements by FY 2009. NARA\xe2\x80\x99s challenge is to\nensure NARA\xe2\x80\x99s own facilities, as well as those used by other Federal agencies, are in\ncompliance with these regulations; and to effectively mitigate risks to records which are stored in\nfacilities not meeting these standards.\n\n6. Preservation Needs of Records\nNARA holdings grow older daily, and face degradation associated with time. This affects both\ntraditional paper records, and the physical media that electronic records and audiovisual records\nare stored on. Per management, preservation resources have not been able to adequately address\nthe growth in holdings needing preservation action. Preserving and providing access to records is\na fundamental element of NARA\xe2\x80\x99s duties to the country, and NARA cannot provide access to\nrecords unless it can preserve them for as long as needed. The backlog of records needing\npreservation continues to grow. NARA is challenged to address this backlog and future\npreservation needs, including the data integrity of electronic records. Further, NARA\xe2\x80\x99s primary\ntool for preserving electronic records, the ERA system, has not delivered the functionality\nnecessary to address record format obsolescence (see OIG Challenge #1). The challenge of\nensuring NARA facilities meet environmental standards for preserving records (see OIG\nChallenge #5) also plays a critical role in the preservation of Federal records.\n\n7. Improving Project Management\nEffective project management, particularly for IT projects, is essential to obtaining the right\nequipment and systems to accomplish NARA\xe2\x80\x99s mission. Complex and high-dollar contracts\n\nSEMIANNUAL REPORT TO CONGRESS                                                               Page 25\nOctober 1, 2013 to March 31, 2014\n\x0cTOP TEN MANAGEMENT CHALLENGES\n\nrequire multiple program managers, often with varying types of expertise. NARA is challenged\nwith planning projects, developing adequately defined requirements, analyzing and testing to\nsupport acquisition and deployment of the systems, and providing oversight to ensure effective\nor efficient results within costs. Currently, IT systems are not always developed in accordance\nwith established NARA guidelines. These projects must be better managed and tracked to\nensure cost, schedule, and performance goals are met.\n\nAs an example, GAO reported NARA did not document the results of briefings to its senior\nmanagement oversight group during the development of NARA\xe2\x80\x99s largest IT project, the ERA\nprogram. There is little evidence the group identified or took appropriate corrective actions, or\nensured such actions were taken and tracked to closure. Without adequate oversight evaluating\nproject progress, including documenting feedback and action items from senior management,\nNARA will not be able to ensure projects are implemented at acceptable cost and within\nreasonable time frames. GAO also reports NARA has been inconsistent in its use of earned\nvalue management (EVM), a project management approach providing objective reports of\nproject status and early warning signs of cost and schedule overruns. Inconsistent use of key\nproject management disciplines like EVM limits NARA\xe2\x80\x99s ability to effectively manage projects\nand accurately report on their progress.\n\n8. Physical and Holdings Security\nThe Archivist has identified security of collections as a material weakness for the agency.\nDocument and artifact theft is not a theoretical threat; it is a reality NARA has been subjected\nto time and time again. NARA must maintain adequate levels of security to ensure the safety\nand integrity of persons and holdings within our facilities. This is especially critical in light of\nthe security realities facing this nation and the risk our holdings may be pilfered, defaced, or\ndestroyed by fire or other man-made and natural disasters. Not only do NARA\xe2\x80\x99s holdings have\nimmense historical and financial value, but we hold troves of national security information as\nwell. Developments such as the creation of the Holdings Protection Team and implementation\nof stricter access controls are welcome additions to NARA\xe2\x80\x99s security posture and should be\ncommended. However, NARA must continually strive to improve in this area.\n\n9. Contract Management and Administration\nThe GAO has identified Commercial Services Management (CSM) as a government-wide\ninitiative. The CSM initiative includes enhancing the acquisition workforce, increasing\ncompetition, improving contract administration skills, improving the quality of acquisition\nmanagement reviews, and strengthening contractor ethics requirements. Effective contract\nmanagement is essential to obtaining the right goods and services at a competitive price to\naccomplish NARA\xe2\x80\x99s mission. NARA is challenged to continue strengthening the acquisition\nworkforce and to improve the management and oversight of Federal contractors. NARA is also\nchallenged with reviewing contract methods, to ensure a variety of procurement techniques are\nproperly used in accordance with laws, regulations, and best practices.\n\n\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                                 Page 26\nOctober 1, 2013 to March 31, 2014\n\x0cTOP TEN MANAGEMENT CHALLENGES\n\n10. Management of Internal Controls\nOMB Circular A-123, Management\xe2\x80\x99s Responsibility for Internal Control, explains management\nis responsible for establishing and maintaining internal controls to achieve the objectives of\neffective and efficient operations, reliable financial reporting, and compliance with applicable\nlaws and regulations. GAO has reported NARA has not established an enterprise risk\nmanagement capability, thus reducing its ability to anticipate future challenges and avoid\npotential crises. Currently, the agency has not established an effective internal control program,\nand OIG audit recommendations from as far back as FY 2009 concerning an internal control\nprogram have yet to be implemented. Thus, NARA is vulnerable to risks that may not be\nforeseen or mitigated, and does not have the ability to self-identify and appropriately manage or\nmitigate significant deficiencies. Establishment of an internal control program is critical as it\nprovides several benefits including (1) improved decision making, (2) risk identification,\nmanagement, and mitigation, (3) opportunities for process improvement, (4) effective use of\nbudgeted resources, and (5) strategic planning. NARA\xe2\x80\x99s challenge is to ensure the agency is in\ncompliance with OMB Circular A-123 and to develop and fully implement an internal control\nprogram.\n\n\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                              Page 27\nOctober 1, 2013 to March 31, 2014\n\x0cREPORTING REQUIREMENTS\n\nMANDATED BY THE INSPECTOR GENERAL ACT OF 1978, AS \n\n          AMENDED, AND OTHER LAWS \n\nREQUIREMENT            SUBJECT                                             PAGE(S)\n\nSection 4(a)(2)        Review of legislation and regulations               7\xe2\x80\x938\n\n\nSection 5(a)(1)        Significant problems, abuses, and deficiencies      2 \xe2\x80\x93 3, 11 \xe2\x80\x93 13, \n\n                                                                           21 \xe2\x80\x93 27\n\nSection 5(a)(2)        Significant recommendations for corrective action   2 \xe2\x80\x93 3, 11 \xe2\x80\x93 13\n\nSection 5(a)(3)        Prior significant recommendations unimplemented     31\n\nSection 5(a)(4)        Summary of prosecutorial referrals                  30\n\nSection 5(a)(5)        Information or assistance refused                   31\n\nSection 5(a)(6)        List of reports issued                              30\n\nSection 5(a)(7)        Summaries of significant reports                    2 \xe2\x80\x93 3, 11 \xe2\x80\x93 13\n\nSection 5(a)(8)        Audit Reports\xe2\x80\x94Questioned costs                      31\n\nSection 5(a)(9)        Audits Reports\xe2\x80\x94Funds put to better use              32\n\nSection 5(a)(10)       Prior audit reports with no management decision     31\n\nSection 5(a)(11)       Significant revised management decisions            31\n\nSection 5(a)(12)       Significant management decisions                    21 \xe2\x80\x93 22, 31\n                       with which the OIG disagreed\n\nSection 5(a)(14)       Reporting on OIG peer review                        8\xe2\x80\x939\n\nP.L. 110-181           Annex of completed contract audit reports           32\n\nP.L. 104-106           Prior fiscal years\xe2\x80\x99 open audit recommendations      33 \xe2\x80\x93 49\n\n\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                     Page 28\nOctober 1, 2013 to March 31, 2014\n\x0cREPORTING REQUIREMENTS\n\nSTATISTICAL SUMMARY OF INVESTIGATIONS\n\nInvestigative Workload\n        Hotline contacts received this reporting period                                 4\n        Complaints opened this reporting period                                         23\n        Investigations pending at beginning of reporting period                         15\n        Investigations opened this reporting period                                     12\n        Investigations closed this reporting period                                     10\n        Investigations carried forward this reporting period                            20\nCategories of Closed Investigations\n        Fraud                                                                           0\n        Conflict of Interest                                                            0\n        Contracting Irregularities                                                      0\n        Misconduct                                                                      1\n        Larceny (theft)                                                                 0\n        Other                                                                           6\nInvestigative Results\n        Cases referred \xe2\x80\x93 accepted for prosecution                                       1\n        Cases referred \xe2\x80\x93 declined for prosecution                                       0\n        Cases referred \xe2\x80\x93 pending prosecution decision                                   0\n        Arrest                                                                          0\n        Indictments and informations                                                    0\n        Convictions                                                                     2\n        Fines, restitutions, judgments, and other civil and administrative recoveries   $0\n        NARA holdings recovered                                                         3\nAdministrative Remedies\n        Employee(s) terminated                                                          0\n        Employee(s) resigned                                                            1\n        Employee(s) suspended                                                           0\n        Employee(s) given letter of reprimand or warnings/counseled                     0\n        Employee(s) taking a reduction in grade in lieu of administrative action        0\n        Contractor (s) removed                                                          0\n\n        Individual(s) barred from NARA facilities                                       0\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                           Page 29\nOctober 1, 2013 to March 31, 2014\n\x0c        REPORTING REQUIREMENTS\n\n                               SUMMARY OF PROSECUTORIAL REFERRALS\n                                                  Requirement 5(a)(4)\n        Accepted for Prosecution\n\n        Theft of Funds from a Presidential Library\n        The OI continues to work jointly with local enforcement to investigate allegations a former\n        NARA employee stole funds from a Presidential library.\n\n        Declined for Prosecution\n\n        None.\n\n        Pending Prosecutorial Determination\n\n        None.\n\n\n                                   LIST OF AUDIT REPORTS ISSUED\n                                             Requirement 5(a)(6)\nReport      Title                                   Date           Questioned   Unsupported    Funds Put to\nNo.                                                                Costs        Costs          Better Use\n14-01       Audit of the Management and\n            Oversight of NARA\xe2\x80\x99s Energy Savings       01/30/2014         $0           $0          $8,484,000\n            Performance Contracts\n14-03       NARA\xe2\x80\x99s FY 2013 Financial Statement\n                                                     01/15/2014         $0           $0               $0\n            Audit\n14-04       Audit of the Use of Presidential\n                                                     03/05/2014         $0           $0               $0\n            Libraries by Outside Organizations\n14-05       Audit of NARA\xe2\x80\x99s Field Offices\n                                                     03/11/2014         $0           $0               $0\n            Acquisition Activity\n14-07       Audit of NARA\xe2\x80\x99s Payments to Federal\n                                                     04/02/2014         $0           $0               $0\n            Agencies (excluding GSA)\n\n\n\n\n        SEMIANNUAL REPORT TO CONGRESS                                                            Page 30\n        October 1, 2013 to March 31, 2014\n\x0cREPORTING REQUIREMENTS\n\n                  AUDIT REPORTS WITH QUESTIONED COSTS\n\n                                       Requirement 5(a)(8)\n\n                                             Number of\n                                                                        DOLLAR VALUE\nCategory                                                         Questioned              Unsupported\n                                              Reports\n                                                                   Costs                    Costs\n\nA. For which no management decision\n                                                   0                    $0                    $0\n   has been made by the commencement\n   of the reporting period\nB. Which were issued during the\n                                                   0                    $0                    $0\n   reporting period\n   Subtotals (A + B)                               0                    $0                    $0\nC. For which a management decision has\n                                                   0                    $0                    $0\n   been made during the reporting period\n   (i) dollar value of disallowed cost             0                    $0                    $0\n   (ii) dollar value of costs not\n                                                   0                    $0                    $0\n   disallowed\nD. For which no management decision\n   has been made by the end of the                 0                    $0                    $0\n   reporting period\nE. For which no management decision\n                                                   0                    $0                    $0\n   was made within 6 months\n\n\n\n                             OTHER REQUIRED REPORTS\n\n\nREQUIREMENT                           CATEGORY                                      SUMMARY\n5(a)(3)               Prior significant recommendations unimplemented        See attached appendix.\n5(a)(5)               Information or assistance refused                      None\n5(a)(10)              Prior audit reports with no management decision        Management has concurred\n                                                                             or disagreed with all issued\n                                                                             reports. However, many\n                                                                             management action plans are\n                                                                             overdue.\n5(a)(11)              Significant revised management decisions               None\n5(a)(12)              Significant management decisions with which the        See pages 21 \xe2\x80\x93 22.\n                      OIG disagreed\n\n\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                                     Page 31\nOctober 1, 2013 to March 31, 2014\n\x0cREPORTING REQUIREMENTS\n\n             AUDIT REPORTS WITH RECOMMENDATIONS THAT\n\n                     FUNDS BE PUT TO BETTER USE\n\n                                      Requirement 5(a)(9)\n\n\n\n\n             CATEGORY                             NUMBER                   DOLLAR VALUE\nA. For which no management decision has\n   been made by the commencement of                   4                        $9,148,374\n   the reporting period\nB. Which were issued during the reporting\n                                                      1                        $8,484,000\n   period\n   Subtotals (A + B)                                  5                       $17,632,374\nC. For which a management decision has\n                                                      0                            $0\n   been made during the reporting period\n   (i) dollar value of recommendations\n                                                      0                            $0\n        that were agreed to by management\n        Based on proposed management\n                                                      0                            $0\n        action\n        Based on proposed legislative\n                                                      0                            $0\n        action\n   (ii) dollar value of recommendations\n        that were not agreed to by                    0                            $0\n        management\nD. For which no management decision has\n   been made by the end of the reporting              5                       $17,632,374\n   period\nE. For which no management decision was\n   made within 6 months of issuance                   4                        $9,148,374\n\n\n\n\n            ANNEX ON COMPLETED CONTRACT AUDIT REPORTS\nSection 845 of the 2008 Defense Authorization Act, Public Law 110-181, requires certain\ninformation on completed contract audit reports containing significant audit findings be included\nas an annex to this report. While the OIG audited the ERA and other contracts during this\nperiod, they were generally program audits as opposed to contract audits.\n\n\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                               Page 32\nOctober 1, 2013 to March 31, 2014\n\x0cREPORTING REQUIREMENTS\n\n                       Prior Fiscal Years\' Open Audit Recommendations\n Report     Title Recommendation\n 06-09      Review of NARA\'s Information Security Program\n                    2a\t   The Assistant Archivist NH should document policies and procedures for ensuring that\n                          software products running on NARANET are current versions, still supported by the\n                          software vendors.\n                    2c\t   The Assistant Archivist should immediately begin planning for the migration from Novell\n                          Netware to another type of operating system software, e.g. Microsoft or Linux.\n 06-10      Evaluation of NARA\'s Affiliated Archives Program\n                    3     The Archivist should take appropriate measures to revise MOUs between NARA and\n                          affiliates to incorporate current standards for housing NARA records.\n                    4\t    The Archivist should ensure that there is a mechanism to update the MOUs. Specifically, a\n                          procedure should be established to update the MOUs on an interim basis, or when new\n                          standards are implemented at NARA.\n                    5\t    The Archivist should ensure that all MOUs contain the required clause for the use of the\n                          NARA seal.\n                    6\t    The Archivist should ensure that all affililiates meet the current storage standards or provide\n                          waivers and time frames to have the affiliates become compliant with the NARA 1571\n                          standards.\n 06-11      Audit of System Adm. Rights and Controls\n                    3     Ensure that changes made to the application, system, and security logs are capturing the\n                          necessary information and not overwriting it until it is adequately reviewed and stored for\n                          future use and correct incident in self-audit results.\n                    5\t    Ensure that Access Control lists are produced for all IT systems and used as a basis for\n                          access validation.\n 07-10      Review of Selected Security Aspects of NARA\'s Computer Network Environment\n                    1a    Direct the CISO to perform a more comprehensive survey of computer network devices, to\n                          identify any other unauthorized devices not identified by the earlier survey conducted in\n                          response to RFC 1120.\n                    1b\t   When the recommended survey is completed, direct the FOSAs to immediately remove any\n                          unauthorized devices connected to the commuter network.\n                    1d\t   Require NARAnet system administrators to periodically scan the network using automated\n                          software tools to ensure that only approved devices are connected to the network.\n 08-01      Audit of NARA Artifacts\n                    1b    The Assistant Archivist for Presidential Libraries (NL) should ensure that the results of the\n                          completed physical inventory are transmitted to NL and appropriately secured to serve as\n                          control or master copies establishing a reliable baseline for each library\'s museum\n                          collection.\n                    1d    The Assistant Archivist for Presidential Libraries (NL) should ensure that once an initial\n                          physical inventory has been completed, non-HVOs are reinventoried/verified in a timelier\n                          manner than the current 5% or 1,000 items annually.\n                    2c\t   The Assistant Archivist for Presidential Libraries should ensure that policy and standards\n                          are developed for linking digital images of items to their record in i/O, giving priority to\n                          photographing HVOs and outgoing loan items.\n                    5d\t   The Assistant Archivist for Presidential Libraries should take the following actions in regard\n                          to the Ronald Reagan Presidential Library and Museum: Procure storage hardware that is\n                          appropriate for both the type of artifact and the fact the library is in a seismic zone, and\n                          better configure the museum storage area in order to minimize damage to the artifacts and\n                          improve the ease of access to them.\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                                            Page 33\nOctober 1, 2013 to March 31, 2014\n\x0cREPORTING REQUIREMENTS\n\n 08-02      Audit of NARA\'s Purchase Card Program\n                    13    The Assistant Archivist of Administration should direct the Director NAA to establish\n                          written policies and procedures to evaluate the effectiveness of cardholder reconciliations\n                          and approving officials certifying duties.\n 08-04      HMS Review\n                    4a    The CIO should ensure that employees with responsibilities for conducting project analysis\n                          receive additional training for investment analysis regarding requirements, alternatives, and\n                          costs/benefits.\n 08-05      FY 07 FISMA Review\n                    12    The Assistant Archivist for Information Services should develop and implement\n                          management controls to monitor and enforce compliance with NIST SP 800-37 and NARA\n                          C&A policy.\n                    14    The Assistant Archivist for Information Services should develop and implement a\n                          mechanism to monitor system accreditations for NARA\'s National Security Systems to\n                          ensure the systems are re-certified and accredited at least every three years.\n                    15b\t The Archivist along with NARA Senior Management and Information Owners should\n                         develop recovery strategies for at least those systems identified as critical based on the\n                         outcome of the Business Impact Analysis.\n                    16b\t The Assistant Archivist for Information Services should implement management controls to\n                         verify contingency plans are reviewed and updated at least annually as required by NIST SP\n                         800-34\n                    16c\t The Assistant Archivist for Information Services should update the contingency plans, if\n                         needed, and record any changes made in the Record of Changes section of the plans.\n                    17\t The Assistant Archivist for Information Services, along with the system owners, should\n                         develop tests of the system contingency plans to evaluate the viability of the plan\n                         procedures and determine the ability of recovery staff to implement the recovery strategy\n                         identified.\n                    18\t The Assistant Archivist for Information Services should develop a plan of action and\n                         milestone process that provides visibility over all IT security weaknesses and issue written\n                         procedures regarding that process.\n                    19\t   The Assistant Archivist for Information Services should develop a process to identify\n                          employees with significant security responsibilities.\n                    2\t    The Assistant Archivist for Information Services should establish a process to review the\n                          Remedy trouble ticket work logs daily and communicate with the CIRT team, if needed, to\n                          ensure all events are fully investigated.\n                    20\t   The Assistant Archivist for Information Services should require all individuals with\n                          significant security responsibilities, including contractor employees, to complete training\n                          based on the risk provided by their activities and develop a process to monitor compliance.\n                    6\t    The Assistant Archivist for Information Services should conduct a review of open Remedy\n                          tickets and direct the contractor, in writing, to address the vulnerabilities identified during\n                          the completed server audits.\n                    7\t    The Assistant Archivist for Information Services should add security vulnerabilities\n                          identified during the server audits to the system\'s plan of action and milestones to ensure\n                          proper tracking and visibility.\n                    8\t    The Assistant Archivist for Information Services should conduct "lessons learned" meetings\n                          in accordance with the guidance in NIST SP 800-61 when a major incident occurs and\n                          periodically for lesser incidents, and develop and implement a control mechanism to verify\n                          compliance.\n\n\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                                             Page 34\nOctober 1, 2013 to March 31, 2014\n\x0cREPORTING REQUIREMENTS\n\n 08-07      Audit of the Researcher ID Card Program\n                    1     Evaluate the enhanced security and customer service benefits that would accrue to NARA\n                          and consider implementing an automated integrated researcher registration system at all\n                          NARA facilities with research rooms.\n                    3\t    Require periodic monitoring of the Archives I and Archives II database. A log recording the\n                          date of the review and corrective action taken should be maintained.\n 09-01      Audit of the Controls Over Presidential Library Textual Records\n                    1b    The Assistant Archivist for Presidential Libraries should ensure all libraries, in accordance\n                          with NARA 1572, nominate selected staff for background checks required to access vaults\n                          or other specially protected areas (and submit the list to NASS).\n                    1c\t   The Assistant Archivist for Presidential Libraries should ensure all libraries, in accordance\n                          with NARA 1572, report storage methods and exact container locations to NASS.\n                    1d\t   The Assistant Archivist for Presidential Libraries should ensure all libraries, in accordance\n                          with NARA 1572, report the names of staff with access to specially protected records to\n                          NASS.\n                    1e\t   The Assistant Archivist for Presidential Libraries should ensure all libraries, in accordance\n                          with NARA 1572, maintain inventories of SPRs.\n                    3\t    The Assistant Archivist for Administrative Services should ensure that the Security\n                          Management Branch conduct reviews and initial certifications of SPR storage areas in a\n                          timely manner. Criteria for the evaluation of SPR storage areas should be clearly articulated\n                          and the method by which the evaluations will occur (if other than inspection) should be\n                          documented. A provision should also be made ensuring results are clearly documented and\n                          transmitted to the library, including any recommended remedial action.\n\n 09-04      NR Compliance with Controls for Safeguarding Specially Protected Records\n                    2     The Assistant Archivist for Administration should ensure the Security Management Branch\n                          (NASS) initially certifies designated SPR storage areas. If this cannot be done via on-site\n                          inspection because of time or budget constraints it should be done remotely through the\n                          exchange of information necessary to allow NASS to either certify the specially protected\n                          storage areas or communicate changes necessary to bring such holding areas into NARA\n                          1572 compliance.\n                    3     The Assistant Archivist for Regional Records Services should ensure regional archives are\n                          in compliance with the revised procedures and defined requirements resulting from\n                          recommendation 1. Specifically, they should meet the requirements for (a) nominating\n                          selected staff with access to specially protected holdings for background checks and (b)\n                          provide storage methods and container locations to NASS.\n\n 09-05      Audit of NARA\'s IV6 Compliance\n                    1     The Assistant Archivist for Information Services/CIO should ensure testing required by\n                          OMB and outlined in the Federal CIO Council Architecture and Infrastructure Committee\n                          "Demonstration Plan to Support Agency IPv6 Compliance," version 1.0 on NARA\'s\n                          operational core network is performed and the test results required by the CIO Council to\n                          demonstrate compliance are documented or obtain a written waiver from OMB.\n                    3\t    The Assistant Archivist for Information Services/CIO should ensure employees responsible\n                          for planning, implementing, maintaining, and securing an IPv6 network for NARA receive\n                          appropriate IPv6 training\n 09-14      Audit of NARA\'s FY 2008 Management Control Program\n                    1c    The NARA management control liaison should work with the offices and office\n                          management control liaisons to review, and revise as necessary, the critical functions\n                          contained in the management control plans. The revision to these plans should seek to\n                          identify and rank risks to major program and functional areas and undertake internal control\n                          reviews of major risk areas.\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                                            Page 35\nOctober 1, 2013 to March 31, 2014\n\x0cREPORTING REQUIREMENTS\n\n                    2\t    The Assistant Archivist for Administrative Services should ensure Annual Information\n                          Security Self Inspection results are reviewed in a timely manner, instances of\n                          noncompliance are identified, and corrective actions are monitored; and self inspections are\n                          reviewed and documented in accordance with guidance concerning self-assessments\n                          contained in NARA 114. If a formal process as referred to by the Information Security\n                          Officer cannot be completed in time to facilitate the review of FY 2009 information security\n                          self inspections, an alternate means of reviewing the checklists should be developed.\n\n                    4\t    The Assistant Archivist for Regional Records Services should ensure all program findings,\n                          regardless of whether they are considered major or minor, are tracked to resolution and\n                          supported by adequate documentation.\n 09-15      Audit of NARA\'s Work at Home System\n                    7     We recommend the CIO ensures that the WAHS meets OMB and NIST requirements prior\n                          to full implementation.\n 09-16      Audit of Processing and Safeguarding Veterans Requests\n                    1     The Assistant Archivist for Regional Records Services should direct the Director, NPRC, to\n                          export data for the "record of disclosure file" and follow the approved Records Disposition\n                          Schedule and limit the amount of record requests stored online.\n                    11\t   The Assistant Archivist for Regional Records Services should review these vulnerabilities\n                          and determine whether action is needed.\n                    2\t    The Assistant Archivist for Regional Records Services should direct the Director, NPRC, to\n                          establish and enforce password requirements within CMRS that are appropriate based on the\n                          sensitivity of the information contained in the system and the need to protect the integrity of\n                          the information.\n                    3\t    The Assistant Archivist for Regional Records Services should direct the Director, NPRC, to\n                          establish controls to restrict users to only those rights and views needed to perform their job.\n                    5\t    The Assistant Archivist for Regional Records Services should direct the Director, NPRC, to\n                          limit users\' ability to perform extracts of the database containing sensitive information or\n                          remove access to CD burners and thumb drives.\n                    6\t    This audit recommendation contains information concerning an ongoing weakness which\n                          could be used to compromise veteran\xe2\x80\x99s information; or to exploit NARA programs,\n                          operations, and systems if made public. Contact the OIG if you need more information.\n                    7\t    The Assistant Archivist for Information Services should encrypt backup tapes containing PII\n                          as required by OMB Memorandum 06-16.\n            Audit of NARA\'s Oversight of Electronic Records Management in the Federal\n 10-04      Government\n                    2\t    The Archivist should consider using the authority given under title 44 of the US Code to\n                          direct Federal agencies to perform assessments of their electronic records management\n                          programs based on requirements contained in 36 CFR Part 1236.\n                    3\t    The Archivist should ensure NARA establishes a strategy for consistently and\n                          systematically monitoring compliance with electronic records regulations and guidance\n                          throughout the Federal Government.\n                    4\t    The Assistant Archivist for Records Services, Washington DC (NW) should ensure NARA\'s\n                          strategy for monitoring and evaluating Federal agency compliance with electronic records\n                          management regulations and guidance results in adequate identification and mitigation of\n                          risks to permanent electronic records.\n                    5\t    The Assistant Archivist for Records Services, Washington DC (NW) should ensure\n                          development of controls to adequately monitor agency scheduling of electronic records in an\n                          effort to reasonably ensure electronic records/systems are scheduled in timely manner, and\n                          therefore provide a reasonably accurate reflection of the universe.\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                                            Page 36\nOctober 1, 2013 to March 31, 2014\n\x0cREPORTING REQUIREMENTS\n\n                    6\t    The Assistant Archivist for Records Services, Washington DC (NW) should ensure a\n                          methodology for verifying the accuracy/completeness of Federal agency responses to\n                          electronic records scheduling requirements resulting from the E-Government Act of 2002.\n                    7\t    The Assistant Archivist for Records Services, Washington DC (NW) should ensure\n                          development and application of a methodology for adequately identifying gaps in electronic\n                          record accessions. This methodology should reasonably ensure permanent electronic\n                          records are identified, scheduled, and ultimately obtained by NARA.\n\n 10-05      Audit of NARA\'s Contract for IT and Telecommunications Support Services\n                    1     The Director, Acquisitions Services Division (NAA) should, before exercising the option\n                          for the first option year of the Capstone Task Order, ensure that the contracting officer\n                          performs sufficient, documented research and analysis to determine if the T&M Task Order\n                          is the most advantageous way to continue procuring information technology and\n                          telecommunications support services for NARA. If exercising the option is not the most\n                          advantageous way to continue acquiring these services, award a new, different type of\n                          contract, e.g., firm-fixed-price that adequately protects the government\'s interests.\n\n                    2\t    The Director, Acquisitions Services Division (NAA) should, for future procurements\n                          involving a T&M contract, ensure that contracting personnel comply with the FAR\n                          requirement that a "Determination and Findings" be prepared.\n                    3a\t   The Director, Technical Services Division (NHT), in conjunction with the Contracting\n                          Officer for the Capstone Task Order, should require the COTR for the agency\'s Task Order\n                          with the Capstone Corporation to adequately document task order surveillance efforts.\n                    3b\t   The Director, Technical Services Division (NHT), in conjunction with the Contracting\n                          Officer for the Capstone Task Order, should prepare a surveillance plan that supplements\n                          the requirements of the Quality Assurance Surveillance Plan prepared for the task order.\n                    3c\t   The Director, Technical Services Division (NHT), in conjunction with the Contracting\n                          Officer for the Capstone Task Order, should monitor and evaluate the contractor\'s\n                          performance, to determine compliance with the Service Level Agreements requirements of\n                          the task order.\n                    4\t    The Director, Acquisitions Services Division (NAA) should direct the CO for the NITTSS\n                          Task Order to require contractor compliance with the contract\'s invoice submission\n                          requirements including the (a) submission of signed timesheets or comparable data for\n                          time-and-materials work and (b) identification of contract line item numbers (CLINs) and\n                          sub-CLINs under which each employee worked.\n                    5a\t   The CO for the Capstone Task Order should direct the COTR for the Task Order to do away\n                          with the requirement for the contractor to provide draft invoices for review.\n                    5b\t   The CO for the Capstone Task Order should direct the COTR for the Task Order to\n                          document the results of her reviews of the draft invoices, share the results of her reviews\n                          with the CO, and retain that documentation in her contract folder.\n                    6\t    The CO for the Capstone Task Order should direct the COTR to inform him/her, in a timely\n                          manner, of any technical or contractual difficulties with contractor performance.\n 10-07      Audit of NARA\'s Network Infrastructure\n                    14    The Archivist should direct the Assistant Archivist for Information Services, Assistant\n                          Archivist for Regional Records Services, and the Assistant Archivist for Presidential\n                          Libraries to coordinate with the Assistant Archivist for Administration to develop a\n                          mechanism to track access reviews and key inventories for computer rooms and other\n                          locations where IT network infrastructure equipments is stored at the field sites.\n                    15\t   The Assistant Archivist for Information Services in conjunction with the Assistant Archivist\n                          for Regional Records Services and the Assistant Archivist for Presidential Libraries should\n                          periodically monitor the network environments at the field sites to ensure network\n                          equipment and cables stored outside the computer rooms are protected.\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                                          Page 37\nOctober 1, 2013 to March 31, 2014\n\x0cREPORTING REQUIREMENTS\n\n                    16\t   The Assistant Archivist for Information Services in conjunction with the Assistant Archivist\n                          for Regional Records Services and the Assistant Archivist for Presidential Libraries should\n                          conduct a review to determine which facilities require racks and provide the necessary\n                          racks.\n                    17\t   The Assistant Archivist for Information Services in conjunction with the Assistant Archivist\n                          for Regional Records Services and the Assistant Archivist for Presidential Libraries should\n                          perform a risk assessment for each of the field offices to determine whether changes to the\n                          buildings are needed in order to properly protect network equipment.\n                    5\t    The CIO should create a firewall policy to establish rules for inbound and outbound traffic\n                          and how the firewall will be managed and updated.\n            Audit of the Process for Providing and Accounting for Information Provided to\n 10-14      Researchers\n                    1\t    The Assistant Archivist for NW should establish formal written policies and procedures to\n                          improve NW monitoring of the pull and refile process.\n                    2\t    The Assistant Archivist for NW should implement a centralized database for all of the NW\n                          divisions involved in the processing of researchers requests for records and determine the\n                          necessary information that should be included in the database.\n 10-19      Audit of NARA\'s Management Control Program for FY 2009\n                    1c    The Archivist should consider establishing a Senior Management Council to provide\n                          oversight and additional accountability for the Internal Control Program.\n                    2\t    The Archivist, the Assistant Archivist for NA, and the Director of NPOL should ensure\n                          recommendations from OIG Report 09-14 are implemented and previously identified\n                          weaknesses are corrected.\n 11-02      Network and Penetration Testing Oversight\n                    1     NARA management apply the appropriate hot fix referenced in the vendor advisory on the\n                          affected machines.\n                    2a\t   This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    2b\t   This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    2c\t   This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    2d\t   This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    3a\t   This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    3b\t   This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    3c\t   This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    3d\t   This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    3e\t   This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    6a\t   NARA management immediately address corrective action for all vulnerabilities identified\n                          as "high" and "critical" risk.\n                    6b\t   NARA Management evaluate the identified risks and corrective actions to address those\n                          identified as "medium" and "low" risk vulnerabilities.\n 11-05      Audit of Archives I & II Guard Service Contract\n                    6     The Assistant Archivist for Administration should develop a new fitness standard to test the\n                          physical fitness of the security officers that more closely resembles the requirements of the\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                                          Page 38\nOctober 1, 2013 to March 31, 2014\n\x0cREPORTING REQUIREMENTS\n\n                          contract.\n\n 11-06      Audit of the NARANET Server Upgrade Project\n                    1     The CIO should continue to closely monitor the NARANET Server Upgrade project to\n                          ensure implementation deadlines are met and risks are minimized.\n                    2\t    The CIO should develop an IT Roadmap or forward plan to include specific strategies and\n                          processes to regularly assess, upgrade, and maintain the NARANET infrastructure.\n                    4\t    The CIO should ensure alternatives are fully considered and analysis documented when\n                          planning and executing the next NARANET upgrade.\n                    7\t    The CIO should assign responsibility to ensure the total costs and costs spent to date are\n                          accurate on the Monthly Status Reports and add an independent verification process to the\n                          Control Phase to verify cost figures.\n 11-14      Audit of NARA\'s Foreign and Premium Travel\n                    2a    Develop and implement a mandatory specialized training course for travelers and\n                          authorizing officials reiterating their roles and responsibilities. Refresher courses should be\n                          provided on a periodic basis.\n                    2d\t   Develop and implement procedures to follow up on travel vouchers not submitted within\n                          five working days. Take appropriate action for people who do not comply within five\n                          working days.\n                    3\t    Create a webpage within NARA@work which includes all travel information including but\n                          not limited to links to the FTR, NARA 601, the travel card application and agreement, and\n                          NABF contacts.\n                    6a\t   Review and update policy and procedures for issuing travel cards to employees. Include\n                          additional restrictions as outlined in OMB Circular A-123 on cardholders with credit scores\n                          less than 660.\n                    6b\t   Enhance procedures to perform timely periodic reviews of the appropriateness of\n                          individually and centrally billed travel cards to help ensure the effectiveness of travel card\n                          expenditures controls. Specifically, as outlined in OMB Circular A-123 review ATM cash\n                          withdrawals for reasonableness and association with official travel.\n\n 11-15      Audit of NARA\'s Drug Testing Program\n                    2     Amend NARA TDP\'s to ensure compliance with the SAMHSA\'s Interagency Coordinating\n                          Group Executive Committee Guidelines for the Selection of Testing Designated Positions\n                          and establish a mechanism to periodically review and update TDPs as necessary.\n                    3\t    Develop a training course for all supervisors that will aide them in recognizing and\n                          addressing illegal drug use by agency employees. This training should be mandatory for all\n                          supervisors. Also evaluate the current drug awareness training for employees.\n                    4\t    Develop a retention plan for all drug testing related documentation consistent with the\n                          guidance issued by SAMHSA.\n                    5\t    Review NARA\'s Drug Free Workplace Plan and update it as necessary. In addition, a plan\n                          for periodic reviews and updates of the Plan document should be developed.\n 11-20      Audit of NARA\'s Telework Program\n                    1c    Establish a cross functional team with the Office of Information Services (1) to ensure\n                          remote access capabilities will meet increased NARA telework demands and to ensure\n                          appropriate security guidance is included in NARA telework policy.\n                    1d\t   Develop a method and common criteria for tracking telework participation.\n                    3a\t   The Executive for Information Systems, CIO, and Executive for Business Support Services\n                          should ensure all deferred and failed security tests have been reassessed and the results\n                          documented.\n                    3d\t   Monitor compliance with HSPD-12 to ensure established deadlines are met.\n\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                                            Page 39\nOctober 1, 2013 to March 31, 2014\n\x0cREPORTING REQUIREMENTS\n\n                    3e\t   Review Citrix security configurations for adequacy.\n                    3g\t   Develop a plan with General Counsel to protect PII and NARA proprietary information\n                          from being distributed or compromised over the network and email system.\n 12-02      Audit of the Management of Records at the Washington National Records Center\n                    11a\t This audit recommendation contains information concerning security deficiencies in\n                         NARA\'s handling of national security classified materials, and has not yet been made\n                         publicly available.\n                    11b\t This audit recommendation contains information concerning security deficiencies in\n                         NARA\'s handling of national security classified materials, and has not yet been made\n                         publicly available.\n                    12b\t This audit recommendation contains information concerning security deficiencies in\n                         NARA\'s handling of national security classified materials, and has not yet been made\n                         publicly available.\n                    11c\t This audit recommendation contains information concerning security deficiencies in\n                         NARA\'s handling of national security classified materials, and has not yet been made\n                         publicly available.\n                    11d\t This audit recommendation contains information concerning security deficiencies in\n                         NARA\'s handling of national security classified materials, and has not yet been made\n                         publicly available.\n                    13a\t This audit recommendation contains information concerning security deficiencies in\n                         NARA\'s handling of national security classified materials, and has not yet been made\n                         publicly available.\n                    13b\t This audit recommendation contains information concerning security deficiencies in\n                         NARA\'s handling of national security classified materials, and has not yet been made\n                         publicly available.\n                    14b\t This audit recommendation contains information concerning security deficiencies in\n                         NARA\'s handling of national security classified materials, and has not yet been made\n                         publicly available.\n                    5\t   The Executive of Agency Services should require AFO-SD to perform periodic monitoring\n                         to ensure only individuals with the appropriate levels work in the Vault.\n                    7b\t Establish a procedure to ensure combinations are changed as soon as reasonably possible\n                         upon departure of an individual who had knowledge of the combination.\n                    7c\t Ensure periodic reviews of Vault access are performed.\n                    9a\t   The Executive of Agency Services should ensure employees and contractors are restricted\n                          from entering AFO-SD through the loading dock doors.\n                    9b\t   Ensure a policy that requires rear entrance doors to be kept closed and locked is designed,\n                          implemented, and enforced.\n                    9c\t   Ensure a policy that requires couriers to furnish identification and agency manifest\n                          documents when approaching the loading docks is developed, implemented and enforced.\n                    9d\t   Ensure a staff person or contractor guard is dedicated to monitor the loading docks at all\n                          times.\n 12-05      Audit of the management of Records at the Washington National Records Center\n                    10    The Executive of Agency Services should ensure a plan is developed to help all agencies\n                          transition to fully using all of the features available in ARCIS\'s Customer Portal.\n                    11\t   The Executive of Agency Services should ensure explicit requirements are communicated to\n                          agencies on how boxes should be transferred to FRCs. When boxes do not meet these\n                          requirements FRCs should correct the problems and enforce the policy of billing agencies\n                          for the additional costs to correct the problems.\n                    12a\t Procedures for all WNRC processes are documented. Review existing procedures and\n                         update as necessary.\n                    12b\t Procedures between unclassified and classified processes are consistent where possible.\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                                          Page 40\nOctober 1, 2013 to March 31, 2014\n\x0cREPORTING REQUIREMENTS\n\n                    1a\t   The Executive of Agency Services should ensure a robust review process for records\n                          received at WNRC is implemented and monitored.\n                    1b\t   The current policy of requiring cleared personnel to receive all classified records is enforced\n                          and monitored.\n                    2\t    The Executive of Agency Services should ensure a formal tracking mechanism is\n                          implemented for new records received but stored in the hallways due to lack of shelving\n                          space.\n                    3a\t   A Problem Resolution Process is created for all problems, regardless of whether they are\n                          considered major or minor. All problems should be tracked to resolution and supported by\n                          adequate documentation.\n                    3b\t   A mechanism to facilitate the problem tracking and resolution process is implemented.\n                    4a\t   The Executive of Agency Services should ensure a vendor is secured to destroy non-textual\n                          records.\n                    4b\t   The Executive of Agency Services should ensure records already approved for disposal are\n                          destroyed.\n                    4c\t   The Executive of Agency Services should ensure the disposal review process is streamlined.\n                    5\t    The Executive of Agency Services should ensure a process to perform periodic inventories\n                          of the records held at WNRC is documented and implemented. This process should be\n                          systematic and repeatable.\n                    6b\t   A detail review of the record storage areas is performed to assess the conditions of records\n                          stored at WNRC Problems identified should be corrected.\n                    6c\t   Employees are reminded of the importance of safeguarding records, including what to do\n                          when boxes deteriorate or no longer support the stored contents.\n                    7\t    The Executive of Agency Services should ensure accounts for separated or terminated\n                          employees are terminated in a timely manner. Also quarterly reviews of access to ARCIS\n                          should be performed to identify whether user accounts access is appropriate.\n                    8\t    The Executive of Agency Services should ensure management designs and implements\n                          monitoring activities for records processed at WNRC including weekly, monthly, and\n                          quarterly reports.\n                    9a\t   The Executive of Agency Services should ensure appropriate training is provided to Vault\n                          personnel on the Classified SOP.\n                    9c\t   A monitoring process is implemented for ensuring classified operations are performed as\n                          written in the Classified SOP.\n                    9d\t   The Classified SOP is reviewed on an annual basis and updated when necessary.\n 12-09      Audit of NARA\'s Data Center Consolidation Initiative\n                    1a    The CIO should update the Master System List and/or the Enterprise Architecture to\n                          incorporate NARA\'s data center consolidation goals, including the approach, rationale, and\n                          a preliminary timeline of activities.\n                    1b\t   The CIO should update the Master System List and /or Enterprise Architecture to\n                          incorporate energy usage calculations.\n                    1c\t   The CIO should update the Master System List and/or the Enterprise Architecture to\n                          incorporate realistic estimates of funding needed or savings to be realized from\n                          implementing NARA\'s data center consolidation goals.\n                    1d\t   The CIO should update the Master System List and/or the Enterprise Architecture to\n                          incorporate annual savings metrics such as rack count reduction, server count reduction,\n                          energy usage reduction, and energy cost reduction to monitor progress.\n                    2\t    The CIO should update transition plans within the Enterprise Architecture annually to\n                          outline the year-by-year evolution of NARA\'s applications and supporting IT infrastructure\n                          in the context of OMB\'s guidance on cloud-first deployment and consolidation.\n\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                                            Page 41\nOctober 1, 2013 to March 31, 2014\n\x0cREPORTING REQUIREMENTS\n\n                    3\t    The CIO should conduct the consolidation/virtualization analysis to investigate the impact\n                          of consolidating or virtualizing two major application domains (NISP and ERA) and the\n                          General Support System (NARANET) as planned or evaluate other alternatives to increase\n                          the average server utilization rate.\n                    4\t    The Executive for Business Support Services should evaluate the current organization of\n                          rack space and determine whether servers can be consolidated into fewer racks when\n                          considering space optimization, power consumption, operations management, and\n                          component failure/recovery perspectives.\n                    5\t    The CIO should review and approve the annual Enterprise Architecture update to ensure\n                          that the agency is considering OMB\'s cloud first policy and guidance on virtualization and\n                          consolidation.\n 12-10      Follow up Audit of Artifacts\n                    1a    The remaining five libraries complete baseline inventories as expeditiously as possible with\n                          master copies forwarded to LP.\n                    1b\t   The remaining five libraries performing baseline inventories complete legacy reconciliation\n                          to identify discrepancies as expeditiously as possible and all libraries with identified\n                          discrepancies take action to resolve the discrepancies.\n                    1d\t   The time-lapse between inventory cycles is completed I a timelier manner than the current\n                          guide of seven to ten years for libraries with larger collections, or an analysis has been\n                          completed to indicate that the current guidance is appropriate.\n                    1e\t   Interim steps are developed to document and monitor deleted records from the current\n                          collections database system or a replacement database is implemented.\n                    1f\t   Photographs of all VV artifacts and artifacts on loan are completed, and all libraries\n                          establish plans to photograph their remaining collection.\n                    1g\t   The detailed policies and procedures for deaccessioning artifacts are finalized.\n                    1h\t   Appropriate storage hardware for the Reagan Library is procured and installed.\n                    2a\t   Develop and identify an appropriate staffing plan for museum operations. The plan should\n                          1) align with collection sizes and life cycles, (2) include temporary staff other staffing\n                          alternatives to support collection inventories and other core collection work, and (3) identify\n                          the planned inclusive time periods devoted to the collection inventory.\n                    2b\t   Review and revise current time-guidance policy, as appropriate, for baseline inventories for\n                          newly established Presidential Libraries.\n                    3a\t   Clarify/Develop guidance regarding the process for resolving and managing outstanding\n                          anomalies as the completion of the baseline inventory including procedures to report all\n                          missing artifacts to the OIG and Holding Protection Team.\n                    3b\t   Develop a format for reporting anomalies that includes a curatorial ranking or other\n                          characterization of open anolomies.\n                    4\t    Develop management controls to minimize the risks associated with a lack of separation of\n                          duty over the safeguarding of Presidential artifacts.\n                    5a\t   Clarify policy concerning what should be classified as a V/V artifact. An appropriate lists\n                          needs to be developed to ensure those artifacts requiring additional stewardship measures\n                          are included.\n                    5b\t   Develop documentation guidelines that identify the importance of supporting the conclusion\n                          reported on the annual V/V reports. When counting objects, the support documentation\n                          should show the same count.\n                    5c\t   Develop an annual V/V report format the prompts the preparer of the report to include the\n                          requested data.\n                    6a\t   Separation of duty policies are developed and efforts to minimize the possible unauthorized\n                          removal of Presidential gifts from courtesy storage with compensating controls.\n\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                                            Page 42\nOctober 1, 2013 to March 31, 2014\n\x0cREPORTING REQUIREMENTS\n\n                    6b\t   Reconciliation procedures between the completed inventories and White House legacy\n                          documentations for both Bush 43 and Obama administrations as a compensating\n                          management control until the separation for duties issue at LM are mitigated.\n                    6c\t   Policy is developed for a security escort when picking up HVO gifts from the White House\n                          for courtesy storage at NARA.\n                    7a\t   Policies and procedures are clarified and reiterated to library personnel concerning 1)\n                          sequestration of museum artifacts from library personnel other than museum personnel, 2)\n                          procedures to periodically review access logs and security camera tapes.\n                    7b\t   Policies and procedures for Presidential Library artifacts on long-term loan are re-iterated\n                          and disseminated to library personnel concerning 1) the annual update of loan agreements\n                          and 2) requirements for long-term loans including photo requirements and\n                    7c\t   Reiterate NARA policy to adequately backup inventory-related collection documentation.\n                    8a    Update comprehensive set of museum collection management policies and procedures and\n                          ensure their development.\n                    8b    Establish procedures to periodically review and, if necessary, revise said policies and\n                          procedures.\n 12-11      NARA\'s Network Assessment Audit\n                    1     This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    10    This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    12    This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    13    This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    14    This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    17    This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    18    This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    19    This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    2     This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    20    This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    23    This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    24    This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    25    This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    26    This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    27    This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    28    This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    32    This recommendation contains information about IT deficiencies which, if made public,\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                                           Page 43\nOctober 1, 2013 to March 31, 2014\n\x0cREPORTING REQUIREMENTS\n\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    33    This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    34    This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    35    This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    37    This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    38    This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    4     This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    40    This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    41    This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    42    This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    44    This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    45    This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    47    This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    48    This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    50    This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    51    This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    6     This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    7     This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    8     This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n                    9     This recommendation contains information about IT deficiencies which, if made public,\n                          could endanger NARA systems. Please contact the OIG if you need further information.\n 12-12      Audit of NARA\'s Parking Program\n                    1a\t   Establish a deadline to have the LPR system operational and able to read license plates at an\n                          acceptable read accuracy percentage at A2\'s three entrances before acceptance of the\n                          system. If the LPR system cannot be made operational and cannot read license plates at an\n                          acceptable read accuracy percentage at AII\'s three entrances by this deadline then NARA\n                          needs to implement a new strategy to control parking at AII that reduces its reliance on the\n                          LPR system.\n                    1b\t   Re-examine the sufficiency of the parking controls in place at the Pepco Lot.\n\n\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                                          Page 44\nOctober 1, 2013 to March 31, 2014\n\x0cREPORTING REQUIREMENTS\n\n 12-14      Audit of OGIS\n                    2     Director of OGIS through the budget process define the resources necessary to better\n                          accomplish the statutory requirements of the office. If NARA budget staffing limitations\n                          and competing priorities negate NARA\'s abilities to fund the requirements of OGIS, we\n                          recommend this condition be reported to the appropriate external stakeholders.\n\n 12-15      Audit of NARA\'s Classified Systems\n                    1     The Executive for Information Services/CIO, in coordination with the Chief Operating\n                          Officer, should ensure all classified system authorization packages are updated in\n                          accordance with NARA policy.\n                    2\t    The Executive for Information Services/CIO, in coordination with the Chief Operating\n                          Officer, should establish a timeframe for review and approval of authorization documents.\n                    3\t    The Executive for Information Services/CIO, in coordination with the Chief Operating\n                          Officer, should develop a continuous monitoring strategy for classified systems requiring\n                          system owners on at least a quarterly basis to assess security controls and inform\n                          authorizing officials when changes occur that may impact the security of the system.\n                    4\t    The Executive for Information Services/CIO, in coordination with the Chief Operating\n                          Officer, should obtain authorizations to operate for each of the classified systems or\n                          disallow them in accordance with NARA and Federal policy.\n                    8\t    The Executive for Information Services/CIO, in coordination with the Chief Operating\n                          Officer, should ensure all contingency plans are updated, completed, reviewed, and tested in\n                          accordance with NARA policy.\n 12-17      Audit of NARA\'s Public Transit Subsidy Program\n                    3     Require employees to affix a copy of the applicable state or local transit authority online trip\n                          planner or other documentation supporting their commuting expenses to their application for\n                          transit benefits.\n 13-01      Audit of NARA\'s Internal Controls Program for FY 2010\n                    1a    The MCOC becomes more involved in the decision-making and implementation plan for the\n                          ICP. Additionally, periodic reports must be presented to the MCOC to review the progress\n                          of the ICP.\n                    1d    Resources are employed to develop and implement the ICP including but not limited to a\n                          Chief Risk Officer, additional employees or contractors, and the purchase of appropriate\n                          ICP software.\n                    1e    Risk management responsibilities are included in the performance plans for program and\n                          function owners.\n                    1f\t   Prior recommendations from previous OIG and GAO reports are closed.\n                    1g\t   A Risk Management Policy is created to communicate NARA\'s commitment to enterprise\n                          risk management.\n                    1i\t   A training plan is developed that encompasses educating the agency on risks and internal\n                          control. Additionally training is provided to all individuals responsible for executing the\n                          ICP, including program owners function owners and MCOC members.\n 13-03      Audit of ERA Preservation Efforts\n                    1     The CIO should ensure the ERA Program Manager follows NARA 805 SDLC Handbook\n                          and System Development Guidelines for any enhancements or modifications to ERA\n                          including the Requirements Definition Activity and Requirement Review Process.\n                    2\t    The CIO should establish a test environment for ERA that is representative of the\n                          production environment and use this test environment to ensure future enhancements or\n                          modifications to the system perform in accordance with specified technical and contractual\n                          requirements.\n                    3\t    The CIO should implement a process for documenting, analyzing, and tracking suggestions\n                          and recommendations made by ERA stakeholders and ACERA.\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                                            Page 45\nOctober 1, 2013 to March 31, 2014\n\x0cREPORTING REQUIREMENTS\n\n                    4\t    The CIO should conduct and document a thorough assessment of the production version of\n                          the ERA system\'s preservation framework capabilities.\n                    5\t    The CIO should establish a quality control process for reporting ERA preservation status to\n                          internal and external stakeholders and the public.\n 13-08      Audit of NARA\'s Preservation Program (Textual)\n                    1a\t   The Archivist should ensure an overarching preservation strategy is developed.\n                          Additionally, a risk based approach to holistically assess the agency\'s preservation needs\n                          and design the agency\'s preservation plan should be implemented.\n                    1b\t   The Archivist should ensure an analysis is conducted of the organizational structure and\n                          responsibilities of each office involved in preservation. This should include a determination\n                          whether the preservation strategy can be effectively implemented with a decentralized\n                          structure, or if one NARA office should have authority over the entire Preservation\n                          Program.\n                    2\t    The Chief Innovation Officer and Executives for Research Services and Legislative\n                          Archives, Presidential Libraries and Museum Services should ensure comprehensive\n                          preservation policies and procedures for each of their organizations are developed and/or\n                          updated.\n                    3a\t   The Chief Innovation Officer and Executives for Research Services and Legislative\n                          Archives, Presidential Libraries and Museum Services completely identify the resources\n                          necessary to adequately accomplish NARA\'s preservation mission.\n                    3b\t   Develop a plan to identify the complete universe of textual and non-textual records that\n                          require preservation.\n                    4\t    The Executive for Research Services should ensure a detailed analysis is performed and\n                          communicate about the risks versus the benefits associated with not using the existing risk\n                          assessment data to calculate the backlog for the Washington Area Archives.\n                    5a\t   The Executive for Research Services should ensure an analysis is performed to determine if\n                          additional risk assessments for the Washington Area Archives and Presidential Libraries\n                          including older holdings should be completed. Identify the risks for not completing the\n                          assessments.\n                    5b\t   The Executive for Research Service should ensure additional measurable performance\n                          metrics are developed and implemented to track the progress within the Preservation\n                          Program.\n                    5c\t   The Executive for Research Services should ensure a cost benefit analysis for the HMS\n                          circulation Module is completed. Request required resources if the cost benefit analysis\n                          identifies benefits to the agency.\n                    5d\t   The Executive for Research Services should ensure Denver, St. Louis, and Special Media\n                          implement HMS to record risk assessments.\n                    6\t    The Executive for Legislative Archives, Presidential Libraries and Museum Services should\n                          ensure an analysis is performed to identify whether HMS should be implemented across the\n                          Libraries. If it is decided HMS will be implemented a timeline should be established. If it\n                          is decided HMS will not be implemented identify (1) how the existing system will meet the\n                          agency\'s preservation needs and (2) obstacles and risks for not implementing HMS.\n\n 13-09      NARA\'s Data Backup Operations\n                    1     The CIO should create a full backup of the EOP instance of ERA as soon as the upgrade and\n                          data migration is complete.\n                    10\t   The CIO, the Director of Acquisition Services, and NARA\'s Office of General Counsel\n                          should review purchases made for offsite storage costs to determine whether NARA\'s\n                          procurement process and Federal appropriations laws were violated and if so take\n                          appropriate corrective action.\n                    11\t   The CIO, the Director of Acquisition Services, and NARA\'s Office of General Counsel\n                          should review language in the NITTSS contract an determine whether payments NARA\n                          made for offsite storage were proper, and what, if any, remedies are available.\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                                           Page 46\nOctober 1, 2013 to March 31, 2014\n\x0cREPORTING REQUIREMENTS\n\n                    2\t    The CIO should encrypt backup tapes containing sensitive PII or devise another method of\n                          protecting the data that provides a similar level of security.\n                    3\t    The CIO should include the restoration of files from backups as part of the annual\n                          contingency plan testing for at least high impact systems such as ERA and CMRS.\n                    4\t    The CIO should develop a process to regularly test data backups to verify information\n                          integrity.\n                    5\t    The CIO should develop increased oversight procedures for the process of sending backup\n                          media offsite to ensure media is rotated offsite as prescribed.\n                    6\t    The CIO should evaluate the risks associated with storing backup tapes within the same\n                          geographic area as AII and determine whether the current strategy is sufficient.\n                    7\t    The CIO should create or update Backup and Recovery Plans and Procedures for the Case\n                          Management and Reporting System.\n                    8\t    The CIO should review the current list of Iron Mountain containers assigned to NARA and\n                          return those containers that are no longer needed.\n                    9\t    The CIO should examine the contents of those containers marked as permanent and\n                          determine whether permanent storage is still required.\n 13-10      NARA Archival Facilities\n                    1a    The COO should ensure a comprehensive review of the Standards is completed.\n                          Additionally roles and responsibilities for offices involved in the execution of the directive\n                          are clearly defined\n                    1b    The COO should ensure a plan is developed including a timeline for when the archival\n                          storage facility reviews will be completed.\n                    1c\t   The COO should ensure an accurate listing of facilities currently compliant with the\n                          Standards along with the area of deficiencies is identified and communicated.\n                    1d\t   The COO should ensure resources needed to make all archival storage facilities compliant\n                          by 2016 are identified. If the facility cannot be brought into conformance with the\n                          Standards, determine and document what mitigating actions have been implemented.\n                    1e\t   The COO ensure PMRS is updated to accurately reflect percentage of archival holdings in\n                          appropriate space.\n 13-11      Audit of ERA Ingest Efforts\n                    1     The COO assess Federal agency usage of Base ERA and implement a process to improve\n                          the records management workload and records management practices that exist between\n                          NARA and Federal agencies to ensure electronic records are being properly transferred.\n                    2\t    The COO identify the most efficient and effective method of ingest and require Federal\n                          agencies to follow this method when transferring electronic records into base ERA. In\n                          addition this information should be properly disseminated to Federal agencies.\n                    3\t    The COO work with NARA\'s Chief Information Officer to continue the detailed analysis of\n                          race conditions related to Base ERA. After the conclusion of this analysis NARA should\n                          use the information learned to create a plan to analyze and correct the issues identified.\n 13-12      Audit of the NARA IDS\n                    1     The CIO should evaluate the access requirements each user needs to perform their job\n                          responsibilities, limit the global administrator privilege to only those whose job\n                          responsibilities require the exclusive permissions, and establish permission groups allowing\n                          users to access limited reports or functionalities within the system.\n                    10\t   The CIO should perform a cost benefit analysis for enabling the intrusion prevention option\n                          for the network-based IDPS.\n                    11\t   The CIO should evaluate the rule sets of the IDPSs for NARA\'s network on a periodic basis\n                          to ensure proper rules have been selected and enabled to effectively detect and prevent\n                          intrusive attacks.\n\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                                            Page 47\nOctober 1, 2013 to March 31, 2014\n\x0cREPORTING REQUIREMENTS\n\n                    12\t   The CIO should ensure the preliminary reporting of all incidents and events reportable to\n                          US-CERT is made with the specified timeframes. Further details on the incident or event\n                          gathered after the original reporting should be communicated to US-Cert as an update.\n                    13\t   The CIO should ensure the resolution process for a computer incident is appropriately\n                          monitored and reviewed on a timely and periodic basis to minimize erroneously closed\n                          incident tickets and the unnecessary time gaps between the resolution steps.\n                    14\t   The CIO should ensure incident response tabletop exercises are conducted for staff\n                          performing and/or supporting computer security incidents on at least an annual basis, and\n                          practical and relevant topics to NARA\'s computing environment are covered within the\n                          exercises.\n                    15\t   The CIO should develop a policy for CIRT members to take training at least on an annual\n                          basis to ensure they remain up to date with current patterns/types of cyber attacks and\n                          effective, efficient incident remediation methodologies.\n                    16\t   The CIO should fully develop and document a process for reviewing the list of individual\n                          with access to systems hosted in NARA\'s computer rooms, define the frequency of the\n                          review in accordance with system categorization and availability requirements and ensure\n                          the frequency is properly documented in the system\'s SSP.\n                    17\t   The CIO should fully develop and document the process for reviewing visitor logs for\n                          NARA\'s computer rooms, including clearly defined review frequencies and assignment of\n                          the duties to appropriate individuals for performing reporting and acting upon the review.\n                    18\t   The CIO should fully develop and document the policies and procedures for a cable\n                          management system, including labeling using proper cable ties and or trays and periodic\n                          inspection of the cables for the HIPS and anti virus management system.\n                    2\t    The CIO should systematically enforce password parameters for system users at the\n                          application level consistent with NARA\'s Enterprise Architecture password requirements.\n                    3\t    The CIO should consider re-evaluating the rule sets currently in use by the system for\n                          detection accuracy and customizing them to potentially reduce the number of intrusive\n                          attempts going undetected.\n                    4\t    The CIO should consider conducting a cost-benefit analysis on deploying the system to all\n                          NARA unclassified system connected to the network.\n                    5\t    The CIO should develop a comprehensive quality assurance surveillance plan that includes\n                          the services provided by the contract, surveillance methods for each service, and designation\n                          of the surveillance monitoring duties to appropriate individuals or offices.\n                    6\t    The CIO should develop a comprehensive method to verify that the actual performance data\n                          included on the contractor\'s Monthly Compliance Reports is complete and accurate for each\n                          service provided by the contractor.\n                    7\t    The CIO should develop a comprehensive process to ensure SLA credits are requested in a\n                          timely manner by designated individuals at NARA and to verify whether the amount of\n                          credit received is accurate based on the SLA type and number of consecutive months the\n                          SLA miss occurred.\n                    8\t    The CIO should request corrected Monthly Compliance Reports including the actual\n                          performance values for all services NARA procured from the contractor for the last six\n                          months review the reports to determine whether there were any unmet SLAs for which\n                          NARA would be entitled to a credit, and request the identified credit(s), if any, in\n                          accordance with the contract.\n                    9\t    The CIO should create a process to ensure information pertinent to performance of the\n                          contract including agreed upon procedures for securing the network is properly\n                          communicated to and from the contractor and among the individuals at NARA whose job\n                          responsibilities require attention to such information.\n\n\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                                          Page 48\nOctober 1, 2013 to March 31, 2014\n\x0cREPORTING REQUIREMENTS\n\n 13-14      Audit of the Processing of Textual and Electronic Records\n                    1\t    The Archivist should ensure an analysis is conducted of the organizational structure and\n                          responsibilities of each office involved in processing. This should include a determination\n                          whether the processing strategy can be effectively implemented with a decentralized\n                          structure, or if one NARA office should have authority over the entire Processing Program.\n                    2a\t   The Executive of Research Services should coordinate with the Executive for Legislative\n                          Archives, Presidential Libraries and Museums to develop a processing policy and agency\n                          definitions. This policy and definition should highlight the difference between Federal\n                          records processing and processing of Presidential records.\n                    2b\t   The Executive of Research Services should ensure the San Bruno, St. Louis, and Chicago\n                          field locations have a current processing backlog reduction plan. These plans should be\n                          developed yearly and updated periodically during the year as necessary.\n                    2c\t   The Executive of Research Services should ensure the cost benefit analysis study on serving\n                          unprocessed records is completed, and ensure it outlines the risks and benefits of serving\n                          unprocessed records with an appropriate strategy consistent across the agency.\n                    2d\t   The Executive of Research Services should conduct a workload analysis to determine if\n                          resource allocation between AI and AII is appropriate.\n                    3\t    The Executive for Legislative Archives, Presidential Libraries and Museums should (a)\n                          analyze the backlogs at the pre-PRA libraries and create processing plans for reducing the\n                          backlogs at these libraries on a more accelerated basis; (b) assess if there are additional way\n                          to accelerate processing at the PRA libraries; (c) work with the Performance and\n                          Accountability Office to update the PMRS metadata to require an ARC entry prior to\n                          considering Presidential records processed.\n                    4\t    The Executive for Research Services and the Executive for Legislative Archives,\n                          Presidential Libraries and Museums, should work with the Performance and Accountability\n                          Office to reassess current processing goals and make changes to the goals.\n                    5a\t   The Executive for Legislative Archives, Presidential Libraries, and Museum Services\n                          should work with the Performance and Accountability Office to develop a performance\n                          measure for tracking the process of electronic presidential records.\n                    5b\t   Determine the true backlog of electronic presidential records and determine if additional\n                          resources are needed and can be obtained to handle the increased workload.\n                    6\t    The Executive for Legislative Archives, Presidential Libraries and Museums and the\n                          Executive for Research Services should ensure a review is performed to validate the\n                          accuracy of processing data supplied to the Performance and Accountability Office.\n                    7\t    The Executive of Research Services should ensure procedures for all field locations are\n                          documented. Review existing procedures and update as necessary.\n                    8\t    The Executive for Legislative Archives, Presidential Libraries and Museums should ensure\n                          procedures for all Presidential libraries are documented, and review existing procedures and\n                          update them as necessary.\n 13-15      NARA\'s Handling of Paper-Based Disclosure of Personally Identifiable Information\n                    1     Assess the current process of providing a copy of military or civilian personnel records to\n                          the requestor and enhance the control to minimize instances of incorrect records being sent\n                          to the requestor.\n                    2\t    Develop a process to ensure erroneously sent copies of the records containing PII are\n                          properly returned to NARA and matched to the complaints.\n\n\n\n\nSEMIANNUAL REPORT TO CONGRESS                                                                            Page 49\nOctober 1, 2013 to March 31, 2014\n\x0c'